Liferay Digital Experience Platform, Remote Code Execution, CVE-2024-4340 (Critical)

Listen to this Post

This critical vulnerability, CVE-2024-4340, is a deserialization of untrusted data issue within Liferay Portal and Liferay DXP. The flaw resides in the JSON web services API. An attacker can exploit this by sending a specially crafted HTTP POST request containing malicious serialized Java objects within the JSON payload. When this payload is processed by the vulnerable `InvokerAction` or similar endpoints, the platform deserializes the object without proper validation. This insecure deserialization allows the attacker to execute arbitrary code by chaining gadget chains present in the application’s classpath, such as those from the Apache Commons Collections library. The exploitation grants the attacker full control over the underlying server with the same privileges as the Liferay application process, leading to complete system compromise, data theft, and further network penetration. Authentication is not required, making it remotely exploitable.
Platform: Liferay DXP/Portal
Version: < 7.4.3.112
Vulnerability: RCE Deserialization
Severity: Critical
date: 2024-08-20

Prediction: Patch 2024-09-10

What Undercode Say:

!/bin/bash

Check Liferay Version

curl -s http://target/ | grep -i “liferay”

Simulate Exploit Check (Educational)

python3 cve-2024-4340_check.py –url http://target

Patch Verification

find /liferay-home -name “.jar” | xargs grep -l “PortalSecurityManager”

How Exploit:

POST /api/jsonws/invoke HTTP/1.1

Host: target

Content-Type: application/json

{“cmd”: “unserialize”, “data”: “rO0ABX…MALICIOUS…PAYLOAD…”}

Protection from this CVE

Apply vendor patch.

Upgrade to 7.4.3.112+.

Disable JSONWS if unused.

Implement network segmentation.

Use WAF rules.

Impact:

Remote Code Execution

Complete System Compromise

Data Breach Potential

Unauthenticated Attack Vector

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top