CVE-2020-7961 — Liferay Portal Deserialization of Untrusted Data Vulnerability

CVE-2020-7961

Liferay Portal — Unauthenticated RCE via JSON Web Services Java Deserialization

What is Liferay Portal?

Liferay Portal is one of the most widely deployed open-source Java-based enterprise portal and content management platforms, used by government agencies, universities, financial institutions, and large corporations worldwide to build intranet portals, customer portals, and public-facing web applications. It provides a web framework with built-in user management, content management, workflow, and integration capabilities. Because Liferay deployments often serve as the front door for organizational intranets and house internal data, they are high-value targets for initial access.

Overview

CVE-2020-7961 is a Java deserialization of untrusted data vulnerability (CWE-502) in Liferay Portal's JSON web services layer. The /api/jsonws/invoke endpoint — which allows programmatic access to Liferay's service layer — accepts serialized Java objects without proper validation. An unauthenticated attacker can send a crafted serialized payload exploiting known Java gadget chains to achieve remote code execution on the Liferay server. The vulnerability is exploitable by anyone with HTTP access to the Liferay Portal URL.

Affected Versions

Liferay Portal Version Vulnerable Fixed
7.2.x < 7.2 CE GA2 7.2 CE GA2+
7.1.x < 7.1 CE GA4 7.1 CE GA4+
7.0.x < 7.0 GA7 fix pack Apply fix pack
6.x All Upgrade required

Liferay DXP (commercial) versions have corresponding fixes detailed in the vendor advisory.

Technical Details

Liferay Portal exposes a JSON web services API at /api/jsonws/invoke that allows callers to invoke server-side service methods via HTTP. This endpoint accepts serialized Java objects as part of its parameter handling. Liferay uses Java's native serialization mechanism; when deserializing objects sent by the client, the Java runtime processes them through any available class in the JVM classpath before type validation occurs.

Using gadget chains from popular libraries (Apache Commons Collections, Spring Framework, etc.) that are commonly present in Liferay's classpath, an attacker can craft a serialized payload that triggers a sequence of method calls culminating in arbitrary OS command execution. The exploit sends an HTTP POST to /api/jsonws/invoke with a specially crafted serialized Java object in the request body. Because the endpoint is accessible without authentication, no credentials are required.

The attack yields code execution as the user running the Liferay application server (often liferay, tomcat, or jboss), which in many deployments has broad filesystem and database access.

Discovery

The vulnerability was discovered and reported to Liferay via responsible disclosure. Liferay patched it in CE GA2 / GA4 releases in March 2020. Java deserialization vulnerabilities in web frameworks had been well-understood since the 2015 AppSec California research by Frohoff and Lawrence; Liferay's exposure followed the same pattern seen in Apache Commons Collections gadget chains.

Exploitation Context

CISA added CVE-2020-7961 to the KEV catalog on November 3, 2021 as part of the initial KEV launch, indicating confirmed exploitation in the wild. Liferay Portal's prevalence in government intranet deployments makes it a particularly attractive target for nation-state actors seeking access to internal government systems and documents.

Exploitation has been observed in:

  • Automated mass scanning by cryptomining operators targeting /api/jsonws/invoke endpoints on default port 8080
  • Targeted campaigns against government and educational institution Liferay deployments
  • Initial access by threat actors subsequently using the foothold for lateral movement into broader enterprise networks

Remediation

  1. Upgrade Liferay Portal: Apply Liferay Portal 7.2 CE GA2+, 7.1 CE GA4+, or the relevant DXP fix pack. For Liferay 6.x, upgrade to 7.x — no backport fix exists for the 6.x branch.
  2. Disable JSON web services if not used: In portal-ext.properties, set json.web.service.enabled=false if your deployment does not require programmatic API access.
  3. Firewall /api/jsonws/ if possible: Restrict access to the JSON web services endpoint at the reverse proxy or firewall level to known IP addresses.
  4. Apply Java deserialization filters: Configure Java's serialization filter mechanism (-Djava.security.serialFilter=...) or use a deserialization firewall library to block known gadget chains.
  5. Review logs: Search application logs for unexpected POST requests to /api/jsonws/invoke or /api/jsonws, particularly with binary content type headers or large request bodies.

Key Details

PropertyValue
CVE ID CVE-2020-7961
Vendor / Product Liferay — Liferay Portal
NVD Published2020-03-20
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-502 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-03-20CVE-2020-7961 published; Liferay releases patched versions
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
Liferay Security Advisory — CVE-2020-7961 Vendor Advisory
NVD — CVE-2020-7961 Vulnerability Database
CISA KEV Catalog Entry US Government