CVE-2020-28885 : What You Need to Know

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. The developer disputes this as a vulnerability, considering it a feature for administrators to access and execute commands in Gogo Shell.

Understanding CVE-2020-28885

This CVE involves OS Command Injection in Liferay Portal Server versions 7.3.5 GA6 and 7.2.0 GA1.

What is CVE-2020-28885?

CVE-2020-28885 is a vulnerability in Liferay Portal Server that allows an administrator user to execute OS commands through the Gogo Shell module.

The Impact of CVE-2020-28885

The impact of this vulnerability is the potential for unauthorized execution of OS commands on the Liferay Portal Server, compromising its security.

Technical Details of CVE-2020-28885

This section provides more technical insights into the CVE.

Vulnerability Description

The vulnerability allows an administrator user to inject and execute OS commands through the Gogo Shell module in Liferay Portal Server.

Affected Systems and Versions

Liferay Portal Server 7.3.5 GA6
Liferay Portal Server 7.2.0 GA1

Exploitation Mechanism

An administrator user can exploit this vulnerability by injecting malicious commands through the Gogo Shell module.

Mitigation and Prevention

Protect your systems from CVE-2020-28885 with the following steps:

Immediate Steps to Take

Monitor and restrict access to the Gogo Shell module.
Implement strong authentication mechanisms for administrator accounts.

Long-Term Security Practices

Regularly update and patch Liferay Portal Server to the latest secure versions.
Conduct security training for administrators on safe command execution practices.
Implement network segmentation to limit the impact of potential attacks.

Patching and Updates

Ensure timely installation of security patches and updates provided by Liferay to address the CVE-2020-28885 vulnerability.