Liferay TunnelServlet Deserialization Remote Code Execution

Description
  • Liferay TunnelServlet is vulnerable to deserialization attacks and, due to incorrect configuration, is accessible to an attacker (by default, it is restricted to localhost only). Depending on exact version of Liferay Portal, an attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform denial of service attack.
Remediation
  • Restrict access to the vulnerable endpoints.
References