A significant vulnerability, CVE-2024-25607, has been identified in Liferay Portal versions 7.2.0 through 7.4.3.15, including older unsupported versions, and Liferay DXP versions 7.4 before update 16, 7.3 before update 4, and 7.2 before fix pack 17, along with older unsupported versions. The flaw resides in the default password hashing algorithm, PBKDF2-HMAC-SHA1, which employs a low work factor, potentially enabling attackers to swiftly crack password hashes. Liferay Inc. acknowledged the issue, emphasizing the need for users to update their systems promptly.
The vulnerability’s severity is reflected in its high CVSS score of 8.1 (HIGH), highlighting the risk of unauthorized access to user passwords. Liferay Inc. suggests referring to their official security advisory for more details and guidance on mitigating the vulnerability. With an Exploit Prediction Scoring System (EPSS) score indicating a low probability of exploitation activity in the next 30 days (0.04%), users are still urged to stay vigilant, especially considering the potential impact of compromised passwords.