CVE-2021-38266
📋 TL;DR
This vulnerability in Liferay Portal's Portal Security module allows remote attackers to perform account lockout attacks by attempting to authenticate as users that exist in LDAP directories. This prevents legitimate users from accessing their accounts. Affected systems include Liferay Portal 7.2.1 and earlier, and Liferay DXP versions 7.0, 7.1, and 7.2 before specific fix packs.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all LDAP-authenticated users, rendering the portal unusable for legitimate authentication.
Likely Case
Targeted account lockout attacks against specific users or groups, disrupting business operations.
If Mitigated
Minimal impact with proper rate limiting, account lockout policies, and monitoring in place.
🎯 Exploit Status
Exploitation requires knowledge of LDAP usernames but no authentication. Simple script can automate attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.3.0+, Liferay DXP 7.0 fix pack 90+, 7.1 fix pack 17+, 7.2 fix pack 5+
Vendor Advisory: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266
Restart Required: Yes
Instructions:
1. Download appropriate fix pack from Liferay Customer Portal. 2. Apply fix pack following Liferay documentation. 3. Restart Liferay instance. 4. Verify LDAP authentication works correctly.
🔧 Temporary Workarounds
Disable LDAP Authentication
allTemporarily disable LDAP authentication until patch can be applied
Modify portal-ext.properties: ldap.auth.enabled=false
Implement Rate Limiting
allConfigure web server or WAF to limit authentication attempts
Configure rate limiting rules for /c/portal/login endpoint
🧯 If You Can't Patch
- Implement network-level restrictions to limit authentication attempts from untrusted sources
- Enable detailed logging for all authentication attempts and monitor for patterns
🔍 How to Verify
Check if Vulnerable:
Check Liferay version and compare against affected versions. Verify LDAP authentication is enabled.Check Version:
Check Liferay Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
Test LDAP authentication with known valid and invalid users. Verify no account lockout occurs with repeated failed attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts for same LDAP user
- Account lockout events in authentication logs
- Unusual authentication patterns from single IPs
Network Indicators:
- High volume of POST requests to /c/portal/login
- Authentication traffic spikes from suspicious sources
SIEM Query:
source="liferay.log" AND "FAILED_LOGIN" AND user=* AND count by user > 5 within 1m🔗 References
- http://liferay.com
- https://issues.liferay.com/browse/LPE-17191
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266
- http://liferay.com
- https://issues.liferay.com/browse/LPE-17191
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2021-38266
