CVE-2024-25607: 
Java vulnerability analysis and mitigation

CVE-2024-25607 affects the default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal versions 7.2.0 through 7.4.3.15 and Liferay DXP versions 7.4 (before update 16), 7.3 (before update 4), 7.2 (before fix pack 17), and older unsupported versions. The vulnerability was disclosed on February 20, 2024, and involves a security weakness where the default configuration uses a low work factor for password hashing (Liferay Advisory).

The vulnerability stems from the default password hashing implementation using PBKDF2-HMAC-SHA1 with an insufficient work factor, making password hashes susceptible to cracking attempts. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating a serious security concern. The weakness is classified under CWE-916 (Use of Password Hash With Insufficient Computational Effort) (NVD).

The low work factor in the password hashing algorithm allows attackers to perform faster password cracking attempts against obtained password hashes, potentially compromising user account security. This could lead to unauthorized access to user accounts if password hashes are exposed (Liferay Advisory).

A workaround is available by setting 'passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/720000' in the portal-ext.properties file. For permanent fixes, users should upgrade to Liferay Portal 7.4.3.14, Liferay DXP 7.4 update 16, Liferay DXP 7.3 update 4, or Liferay DXP 7.2 fix pack 17. It's important to note that existing deployments switching to the higher work factor will need to migrate their password hashing algorithm (Liferay Advisory).