CVE-2024-25607

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.15 Liferay DXP 7.4 before update 16 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 17

Description The default password hashing algorithm (PBKDF2-HMAC-SHA1) in the affected software defaults to a low work factor, which allows attackers to quickly crack password hashes. This issue affects both Liferay Portal and Liferay DXP, with various versions being impacted.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.15, update to a version with a higher work factor for the password hashing algorithm. For Liferay DXP 7.4, apply update 16 to address the issue. For Liferay DXP 7.3, apply update 4 to resolve the problem. For Liferay DXP 7.2, apply fix pack 17 to fix the vulnerability. As a temporary workaround, consider increasing the work factor for the PBKDF2-HMAC-SHA1 algorithm to make it more resistant to cracking.