Protect Your Liferay Portal or DXP Installation from XXE Attacks

CVECVE-2024-25606
CVSScvssV3_1: 8
SourceCVE-2024-25606

Liferay Portal and DXP are popular open source portal and digital experience platforms used by many organizations. Unfortunately, versions 7.2.0 through 7.4.3.7 of Liferay Portal and versions before 7.4 update 4, 7.3 before update 12 and 7.2 before fix pack 20 of Liferay DXP are affected by a vulnerability that allows XXE (XML External Entity) attacks.

XXE attacks work by tricking the application into processing a malicious XML that contains external entity references. This allows an attacker to read files from the server filesystem, perform port scanning, perform denial of service attacks and more.

In the case of Liferay, attackers with permission to deploy widgets/portlets/extensions could exploit this vulnerability to obtain sensitive information like configuration files or consume server resources.

To protect yourself, administrators should immediately apply the latest updates released by Liferay which fix this vulnerability. Users should also carefully review permissions given to third party applications and plugins. Regular security audits of deployed applications is also recommended.

Staying on top of software updates is one of the best ways to prevent exploitation of known vulnerabilities. So users are advised to always keep their Liferay installation updated to the latest versions to avoid falling victim to attacks like XXE.

References