Liferay Digital Experience Platform, Remote Code Execution, CVE-2023-30597 (Critical)

Listen to this Post

CVE-2023-30597 is a critical deserialization vulnerability in Liferay Digital Experience Platform (DXP) and Liferay Portal. It affects the JSON web services API, specifically in the `invoke` method endpoint. The vulnerability arises due to improper validation of user-supplied data during deserialization in the PortalJSONWebServiceServlet. Attackers can exploit this by sending crafted HTTP POST requests with malicious serialized Java objects in the JSON payload. When processed, the deserialization mechanism executes arbitrary code embedded within these objects, leveraging the `ObjectInputStream` without proper safegaurds. This allows remote attackers to achieve full system compromise by running commands on the underlying server. The flaw is present in configurations where the JSON web services are exposed, which is default in many deployments. Exploitation does not require authentication, making it highly severe. The vulnerability stems from the use of vulnerable libraries and custom deserialization routines that trust input from unauthenticated users. By manipulating parameters like `cmd` or through nested object injection, attackers can bypass existing security checks. The issue is exacerbated by the fact that Liferay’s web services are often accessible on port 8080 or similar, increasing attack surface. Successful exploitation leads to execution of OS commands with the privileges of the Liferay process, typically running as a privileged user. This can result in data theft, service disruption, and further network penetration. Patches address this by implementing stricter input validation and using safer deserialization methods.

dailycve form:

Platform: Liferay Digital Experience
Version: Up to 7.4.3.112
Vulnerability: Remote Code Execution
Severity: Critical
date: 2023-08-15

Prediction: Patch expected 2023-08-30

What Undercode Say:

Analytics:

curl -X POST http://TARGET:8080/api/jsonws/invoke -H “Content-Type: application/json” -d ‘{“method”:”invalid”,”params”:[]}’

nmap -p 8080 –script http-vuln-cve2023-30597 TARGET

java -jar ysoserial.jar CommonsCollections6 “ls” > payload.bin

python3 exploit.py –url http://TARGET –payload payload.json

How Exploit:

Craft malicious serialized object.

Send POST request to /api/jsonws/invoke.

Use gadget chains like CommonsCollections.

Execute arbitrary OS commands.

Bypass authentication via unsecured endpoint.

Protection from this CVE:

Apply security patches.

Update to fixed versions.

Restrict network access.

Use input validation filters.

Disable unused web services.

Impact:

Remote code execution.

Full system compromise.

Data breach potential.

Service disruption.

Privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top