What is Liferay Portal?
Liferay Portal is one of the most widely deployed open-source Java-based enterprise portal and content management platforms, used by government agencies, universities, financial institutions, and large corporations worldwide to build intranet portals, customer portals, and public-facing web applications. It provides a web framework with built-in user management, content management, workflow, and integration capabilities. Because Liferay deployments often serve as the front door for organizational intranets and house internal data, they are high-value targets for initial access.
Overview
CVE-2020-7961 is a Java deserialization of untrusted data vulnerability (CWE-502) in Liferay Portal's JSON web services layer. The /api/jsonws/invoke endpoint — which allows programmatic access to Liferay's service layer — accepts serialized Java objects without proper validation. An unauthenticated attacker can send a crafted serialized payload exploiting known Java gadget chains to achieve remote code execution on the Liferay server. The vulnerability is exploitable by anyone with HTTP access to the Liferay Portal URL.
Affected Versions
| Liferay Portal Version | Vulnerable | Fixed |
|---|---|---|
| 7.2.x | < 7.2 CE GA2 | 7.2 CE GA2+ |
| 7.1.x | < 7.1 CE GA4 | 7.1 CE GA4+ |
| 7.0.x | < 7.0 GA7 fix pack | Apply fix pack |
| 6.x | All | Upgrade required |
Liferay DXP (commercial) versions have corresponding fixes detailed in the vendor advisory.
Technical Details
Liferay Portal exposes a JSON web services API at /api/jsonws/invoke that allows callers to invoke server-side service methods via HTTP. This endpoint accepts serialized Java objects as part of its parameter handling. Liferay uses Java's native serialization mechanism; when deserializing objects sent by the client, the Java runtime processes them through any available class in the JVM classpath before type validation occurs.
Using gadget chains from popular libraries (Apache Commons Collections, Spring Framework, etc.) that are commonly present in Liferay's classpath, an attacker can craft a serialized payload that triggers a sequence of method calls culminating in arbitrary OS command execution. The exploit sends an HTTP POST to /api/jsonws/invoke with a specially crafted serialized Java object in the request body. Because the endpoint is accessible without authentication, no credentials are required.
The attack yields code execution as the user running the Liferay application server (often liferay, tomcat, or jboss), which in many deployments has broad filesystem and database access.
Discovery
The vulnerability was discovered and reported to Liferay via responsible disclosure. Liferay patched it in CE GA2 / GA4 releases in March 2020. Java deserialization vulnerabilities in web frameworks had been well-understood since the 2015 AppSec California research by Frohoff and Lawrence; Liferay's exposure followed the same pattern seen in Apache Commons Collections gadget chains.
Exploitation Context
CISA added CVE-2020-7961 to the KEV catalog on November 3, 2021 as part of the initial KEV launch, indicating confirmed exploitation in the wild. Liferay Portal's prevalence in government intranet deployments makes it a particularly attractive target for nation-state actors seeking access to internal government systems and documents.
Exploitation has been observed in:
- Automated mass scanning by cryptomining operators targeting
/api/jsonws/invokeendpoints on default port 8080 - Targeted campaigns against government and educational institution Liferay deployments
- Initial access by threat actors subsequently using the foothold for lateral movement into broader enterprise networks
Remediation
- Upgrade Liferay Portal: Apply Liferay Portal 7.2 CE GA2+, 7.1 CE GA4+, or the relevant DXP fix pack. For Liferay 6.x, upgrade to 7.x — no backport fix exists for the 6.x branch.
- Disable JSON web services if not used: In
portal-ext.properties, setjson.web.service.enabled=falseif your deployment does not require programmatic API access. - Firewall
/api/jsonws/if possible: Restrict access to the JSON web services endpoint at the reverse proxy or firewall level to known IP addresses. - Apply Java deserialization filters: Configure Java's serialization filter mechanism (
-Djava.security.serialFilter=...) or use a deserialization firewall library to block known gadget chains. - Review logs: Search application logs for unexpected POST requests to
/api/jsonws/invokeor/api/jsonws, particularly with binary content type headers or large request bodies.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-7961 |
| Vendor / Product | Liferay — Liferay Portal |
| NVD Published | 2020-03-20 |
| NVD Last Modified | 2025-11-07 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-502 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-03-20 | CVE-2020-7961 published; Liferay releases patched versions |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Liferay Security Advisory — CVE-2020-7961 | Vendor Advisory |
| NVD — CVE-2020-7961 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |