-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Pete,
On 6/17/20 17:44, Pete Helgren wrote: > I am going to guess that it is one of these two known > vulnerabilities: > > CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981) The > JSONDeserializer of Flexjson allows the instantiation of arbitrary > classes and the invocation of arbitrary setter methods. > > CST-7205: Unauthenticated Remote code execution via JSONWS > (LPS-97029/CVE-2020-7961) The JSONWebServiceActionParametersMap of > Liferay Portal allows the instantiation of arbitrary classes and > invocation of arbitrary setter methods. > > Found the signature in the logs and it's pretty clear that that is > what we are up against. However, if something else comes to mind, > feel free to post back. I did come across a couple of other posts > where the OP said there was nothing but Tomcat and they also ended > up with the miner. > > I have some updating to do.... Definitely update Liferay if these are known vulns. You ought to upgrade Tomcat as well, since 8.0 is no longer supported. 8.0.32 is more than 4 years out of date. Latest 8.0.x release was 8.0.53 before support was dropped in favor of Tomcat 8.5. > The VM running Tomcat/Liferay is served through reverse proxy > listening on port 443 and passes traffic back to the Tomcat > instance listening on 7080. The VM has ONLY ports 7080, 7009, and > 7005 open (firewalld) What is the proxy protocol in use? Are those ports on the Tomcat end only allowing connections from the reverse proxy? What are ports 7009 and 7005 open for? How do you make remote-connections to the server? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7srPYACgkQHPApP6U8 pFhmbg//Xq/MsdQ0D13iAp3naezwQv59Qmbii2Eboe+0vZp4VHjPX0Il3bT3JRkU 9AvJGwvaN7aPQgOUQjWqaHxTrnIPiQbEMdOuZ7wcWc67Z8cOp5lha/qdgMSvXgMR q/O3o+d6TSQ8sEz4FnabUZPvnebJ6/+azAF3SZUnKXtbLK797CX57m3cefZ4kcEQ UPFcjyXFC81yLBEbUdHTHcH6QOPLeRMzsISd4B4QajZdxOAOaQMqB8hUn/tAfoYu O8nIl6qfQUC3p7JeOVpaacjH2R2mv1pTaFzpedNB0sTRwYkDsXtkmpsz/z02Aej0 /zIdLmIClEjd+IEaqGWGG9uF40EFRAcq+3GJupF7/tHpx72seY8uk/FBlYQQxaBH Q0AXIZmgDcZ0JWnFhnn+N9fcbUVUnqF+sW7wW3JFvLm5mQSLsHYacX0ypLPLvxHX 3Ed44GmIXL+24E/gRqFdq/GnJRAALomM4b8NlFdQPjGZl1MwR41sJIVFi8RcdKA1 wfJ6DK9OcZzVA3a5l3WDtIpnltZbDTZN2rDeTt2m13DuEaZ65vx2Tz4EsjxLLPA2 +wSgCmFVsTmfAvNnFbRQkB1i2GKKxNwTMf74Yee2aAxfwextZp3Iku/ULafLqIWV ZOh7jLiBN+6hm31tdhVRU85sMMEF27EmtInBnEgO3s1z/ZcDYs8= =9Ihv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
