CVE-2020-7961: 
Java vulnerability analysis and mitigation

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). The vulnerability was discovered in 2020 and assigned CVE-2020-7961. This critical vulnerability affects Liferay Portal Community Edition versions up to 7.2.0 (NVD, CVE).

The vulnerability is a Java unmarshalling vulnerability via JSONWS in Liferay Portal. Marshalling, which is similar to serialization, is used for communication with remote objects. The vulnerability allows attackers to provide a malicious object that, when unmarshalled, enables remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating it is network-accessible, requires low complexity to exploit, needs no privileges or user interaction, and can result in high impact to confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. Successful exploitation can enable attackers to use compromised systems for crypto-mining, lateral movement across company networks, or launching attacks on external targets while masquerading as the compromised company (CheckPoint Research).

Organizations should upgrade to Liferay Portal version 7.2.1 CE GA2 or later to address this vulnerability. The vulnerability has been patched in this version, and upgrading is the primary recommended mitigation strategy (NVD).

The vulnerability has gained significant attention due to its inclusion in CISA's Known Exploited Vulnerabilities Catalog. CISA has mandated federal agencies to address this vulnerability by May 3, 2022, highlighting its severity and active exploitation in the wild (NVD).