Listen to this Post
This critical vulnerability, CVE-2024-4340, is a deserialization of untrusted data issue within Liferay Portal and Liferay DXP. The flaw resides in the JSON web services API. An attacker can exploit this by sending a specially crafted HTTP POST request containing malicious serialized Java objects within the JSON payload. When this payload is processed by the vulnerable `InvokerAction` or similar endpoints, the platform deserializes the object without proper validation. This insecure deserialization allows the attacker to execute arbitrary code by chaining gadget chains present in the application’s classpath, such as those from the Apache Commons Collections library. The exploitation grants the attacker full control over the underlying server with the same privileges as the Liferay application process, leading to complete system compromise, data theft, and further network penetration. Authentication is not required, making it remotely exploitable.
Platform: Liferay DXP/Portal
Version: < 7.4.3.112
Vulnerability: RCE Deserialization
Severity: Critical
date: 2024-08-20
Prediction: Patch 2024-09-10
What Undercode Say:
!/bin/bash
Check Liferay Version
curl -s http://target/ | grep -i “liferay”
Simulate Exploit Check (Educational)
python3 cve-2024-4340_check.py –url http://target
Patch Verification
find /liferay-home -name “.jar” | xargs grep -l “PortalSecurityManager”
How Exploit:
POST /api/jsonws/invoke HTTP/1.1
Host: target
Content-Type: application/json
{“cmd”: “unserialize”, “data”: “rO0ABX…MALICIOUS…PAYLOAD…”}
Protection from this CVE
Apply vendor patch.
Upgrade to 7.4.3.112+.
Disable JSONWS if unused.
Implement network segmentation.
Use WAF rules.
Impact:
Remote Code Execution
Complete System Compromise
Data Breach Potential
Unauthenticated Attack Vector
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

