Liferay Portal and DXP Groovy Script Execution Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in Liferay Portal versions 7.4.3.27 through 7.4.3.42, as well as in Liferay DXP versions 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 27 through update 42. The vulnerability arises because the Objects module does not restrict Admin Users from using Groovy scripts in Object actions. This oversight allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts, leading to remote code execution. In contrast, Liferay DXP (Liferay SaaS) prohibits the use of Groovy in Object actions due to significant security risks. Starting with Liferay DXP 2024.Q2, administrators can configure whether Groovy scripts are permitted in their instances.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Liferay Portal or Liferay DXP is hosted.

Remediation

Users can upgrade to Liferay Portal 7.4.3.43 or Liferay DXP 2024.Q2.0 or 2024.Q3.0 to address this vulnerability.