CVE-2024-38002
📋 TL;DR
This vulnerability allows remote authenticated users to modify workflow definitions in Liferay Portal/DXP, leading to arbitrary code execution (RCE). It affects Liferay Portal 7.3.2 through 7.4.3.111 and Liferay DXP multiple versions from 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 36.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the Liferay server, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Authenticated attackers with any level of access can execute arbitrary code, potentially compromising the entire application and underlying server.
If Mitigated
With proper network segmentation and strict access controls, impact could be limited to the Liferay application server only.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill once authenticated. Headless API endpoint is the attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.112+, Liferay DXP 2023.Q4.6+, 2023.Q3.9+, 7.4 update 93+, 7.3 update 37+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay customer portal. 2. Apply patch following Liferay's patching procedures. 3. Restart Liferay server. 4. Verify version is updated.
🔧 Temporary Workarounds
Disable Headless API Access
allRestrict or disable access to the headless API endpoints that allow workflow definition modifications.
Configure Liferay's portal-ext.properties to restrict API access or use web server rules to block /o/headless-admin-workflow/* endpoints
Network Access Controls
allImplement network-level restrictions to limit which users can access the vulnerable endpoints.
Configure firewall rules to restrict access to Liferay API endpoints from untrusted networks
🧯 If You Can't Patch
- Implement strict access controls and monitor all authenticated user activity
- Isolate Liferay servers from critical infrastructure and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationCheck Version:
Check Liferay Control Panel or examine liferay-portal.xml version propertyVerify Fix Applied:
Verify version is updated to patched version and test workflow definition modification permissions📡 Detection & Monitoring
Log Indicators:
- Unusual workflow definition modifications
- Multiple failed then successful authentication attempts followed by API calls to workflow endpoints
- Suspicious POST/PUT requests to /o/headless-admin-workflow/*
Network Indicators:
- Unusual traffic patterns to workflow API endpoints
- Multiple authentication attempts from single source
SIEM Query:
source="liferay.log" AND ("workflow definition" OR "/o/headless-admin-workflow/") AND ("modif" OR "update" OR "POST" OR "PUT")