CVE-2024-26273
📋 TL;DR
A CSRF vulnerability in Liferay Portal and DXP allows attackers to trick authenticated administrators into performing unauthorized actions. Attackers can change user passwords, shut down servers, execute arbitrary code, and perform other administrative functions. Affected versions include Liferay Portal 7.4.0-7.4.3.103 and multiple DXP versions.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized administrative actions such as password changes, service disruption, or configuration modifications.
If Mitigated
Limited impact with proper CSRF protections, though some risk remains if other vulnerabilities are chained.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into visiting a malicious page. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.104+, Liferay DXP 2023.Q4.3+, 2023.Q3.6+, 7.4 update 93+, 7.3 update 36+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273
Restart Required: Yes
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Backup your current installation. 3. Apply the fix pack following Liferay's deployment guide. 4. Restart the application server.
🔧 Temporary Workarounds
Enable CSRF Protection
allConfigure Liferay's built-in CSRF protection if not already enabled
Set portal.properties: csrf.token.enabled=true
Configure csrf.origin.whitelist appropriately
Restrict Administrative Access
allLimit administrative access to trusted networks and implement additional authentication for sensitive actions
Configure firewall rules to restrict /group/control_panel access
Implement IP whitelisting for admin interfaces
🧯 If You Can't Patch
- Implement network segmentation to isolate Liferay instances from critical systems
- Deploy a WAF with CSRF protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationCheck Version:
Check liferay.home/portal-ext.properties or Control Panel system informationVerify Fix Applied:
Verify version is updated to patched version and test CSRF protection functionality📡 Detection & Monitoring
Log Indicators:
- Unusual administrative actions from unexpected IPs
- Multiple failed login attempts followed by administrative actions
- Requests with _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter
Network Indicators:
- HTTP POST requests to administrative endpoints with CSRF tokens missing or invalid
- Requests from external domains to internal administrative interfaces
SIEM Query:
source="liferay.log" AND ("password change" OR "shutdown" OR "script console") AND NOT user_agent="browser_agent"