Liferay TunnelServlet Deserialization Remote Code Execution

  1. Web Vulnerabilities
  2. Liferay TunnelServlet Deserialization Remote Code Execution
Description
  • Liferay TunnelServlet is vulnerable to deserialization attacks and, due to incorrect configuration, is accessible to an attacker (by default, it is restricted to localhost only). Depending on exact version of Liferay Portal, an attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform denial of service attack.
Remediation
  • Restrict access to the vulnerable endpoints.
References
Severity
Classification
Tags
Related Vulnerabilities