CVE-2024-25607
First published: Tue Feb 20 2024(Updated: )
The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes.
Credit: security@liferay.com security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.liferay.portal:com.liferay.portal.kernel | <38.0.0 | 38.0.0 |
| maven/com.liferay.portal:release.portal.bom | <7.4.3.14 | 7.4.3.14 |
| maven/com.liferay.portal:release.dxp.bom | >=7.4.0<7.4.13.u16 | 7.4.13.u16 |
| maven/com.liferay.portal:release.dxp.bom | <7.2.10.fp17 | 7.2.10.fp17 |
| maven/com.liferay.portal:release.dxp.bom | >=7.3.0<7.3.10.u4 | 7.3.10.u4 |
| Liferay DXP | <7.2 | |
| Liferay DXP | =7.2 | |
| Liferay DXP | =7.2-fix_pack_1 | |
| Liferay DXP | =7.2-fix_pack_10 | |
| Liferay DXP | =7.2-fix_pack_11 | |
| Liferay DXP | =7.2-fix_pack_12 | |
| Liferay DXP | =7.2-fix_pack_13 | |
| Liferay DXP | =7.2-fix_pack_14 | |
| Liferay DXP | =7.2-fix_pack_15 | |
| Liferay DXP | =7.2-fix_pack_16 | |
| Liferay DXP | =7.2-fix_pack_17 | |
| Liferay DXP | =7.2-fix_pack_2 | |
| Liferay DXP | =7.2-fix_pack_3 | |
| Liferay DXP | =7.2-fix_pack_4 | |
| Liferay DXP | =7.2-fix_pack_5 | |
| Liferay DXP | =7.2-fix_pack_6 | |
| Liferay DXP | =7.2-fix_pack_7 | |
| Liferay DXP | =7.2-fix_pack_8 | |
| Liferay DXP | =7.2-fix_pack_9 | |
| Liferay DXP | =7.2-service_pack_1 | |
| Liferay DXP | =7.2-service_pack_2 | |
| Liferay DXP | =7.2-service_pack_3 | |
| Liferay DXP | =7.2-service_pack_4 | |
| Liferay DXP | =7.2-service_pack_5 | |
| Liferay DXP | =7.3 | |
| Liferay DXP | =7.3-fix_pack_1 | |
| Liferay DXP | =7.3-fix_pack_2 | |
| Liferay DXP | =7.3-service_pack_1 | |
| Liferay DXP | =7.3-service_pack_3 | |
| Liferay DXP | =7.4 | |
| Liferay DXP | =7.4-update1 | |
| Liferay DXP | =7.4-update10 | |
| Liferay DXP | =7.4-update11 | |
| Liferay DXP | =7.4-update12 | |
| Liferay DXP | =7.4-update13 | |
| Liferay DXP | =7.4-update14 | |
| Liferay DXP | =7.4-update15 | |
| Liferay DXP | =7.4-update2 | |
| Liferay DXP | =7.4-update3 | |
| Liferay DXP | =7.4-update4 | |
| Liferay DXP | =7.4-update5 | |
| Liferay DXP | =7.4-update6 | |
| Liferay DXP | =7.4-update7 | |
| Liferay DXP | =7.4-update8 | |
| Liferay DXP | =7.4-update9 | |
| Liferay 7.4 GA | <=7.4.3.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-25607?
CVE-2024-25607 is classified as a medium severity vulnerability due to the low work factor used in the PBKDF2-HMAC-SHA1 password hashing algorithm.
How do I fix CVE-2024-25607?
To fix CVE-2024-25607, upgrade to Liferay Portal version 7.4.3.15 or above, or Liferay DXP version 7.4 update 16, 7.3 update 4, or 7.2 fix pack 17.
Which versions are affected by CVE-2024-25607?
CVE-2024-25607 affects Liferay Portal versions 7.2.0 to 7.4.3.15 and older unsupported versions, as well as Liferay DXP versions 7.4 before update 16, 7.3 before update 4, and 7.2 before fix pack 17.
What is the impact of exploiting CVE-2024-25607?
Exploiting CVE-2024-25607 can allow attackers to compromise user accounts through weak password hashing.
Is there a workaround for CVE-2024-25607?
A temporary workaround for CVE-2024-25607 may include enhancing password security by implementing stronger password policies or using alternative hashing algorithms until an upgrade can be completed.
- agent/weakness
- agent/description
- agent/type
- agent/first-publish-date
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-43h9-p3j4-39hm
- alias/CVE-2024-25607
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/trending
- collector/github-advisory
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/liferay
- canonical/liferay dxp
- version/liferay dxp/7.2
- version/liferay dxp/7.2-fix_pack_1
- version/liferay dxp/7.2-fix_pack_10
- version/liferay dxp/7.2-fix_pack_11
- version/liferay dxp/7.2-fix_pack_12
- version/liferay dxp/7.2-fix_pack_13
- version/liferay dxp/7.2-fix_pack_14
- version/liferay dxp/7.2-fix_pack_15
- version/liferay dxp/7.2-fix_pack_16
- version/liferay dxp/7.2-fix_pack_17
- version/liferay dxp/7.2-fix_pack_2
- version/liferay dxp/7.2-fix_pack_3
- version/liferay dxp/7.2-fix_pack_4
- version/liferay dxp/7.2-fix_pack_5
- version/liferay dxp/7.2-fix_pack_6
- version/liferay dxp/7.2-fix_pack_7
- version/liferay dxp/7.2-fix_pack_8
- version/liferay dxp/7.2-fix_pack_9
- version/liferay dxp/7.2-service_pack_1
- version/liferay dxp/7.2-service_pack_2
- version/liferay dxp/7.2-service_pack_3
- version/liferay dxp/7.2-service_pack_4
- version/liferay dxp/7.2-service_pack_5
- version/liferay dxp/7.3
- version/liferay dxp/7.3-fix_pack_1
- version/liferay dxp/7.3-fix_pack_2
- version/liferay dxp/7.3-service_pack_1
- version/liferay dxp/7.3-service_pack_3
- version/liferay dxp/7.4
- version/liferay dxp/7.4-update1
- version/liferay dxp/7.4-update10
- version/liferay dxp/7.4-update11
- version/liferay dxp/7.4-update12
- version/liferay dxp/7.4-update13
- version/liferay dxp/7.4-update14
- version/liferay dxp/7.4-update15
- version/liferay dxp/7.4-update2
- version/liferay dxp/7.4-update3
- version/liferay dxp/7.4-update4
- version/liferay dxp/7.4-update5
- version/liferay dxp/7.4-update6
- version/liferay dxp/7.4-update7
- version/liferay dxp/7.4-update8
- version/liferay dxp/7.4-update9
- canonical/liferay 7.4 ga
- version/liferay 7.4 ga/7.4.3.15