How to remediate – Liferay Portal Default Credentials

Contents

1. Introduction

The Liferay Portal Default Credentials vulnerability allows attackers to gain administrative access to a web application server by using pre-set usernames and passwords. This can lead to complete compromise of the system, including installing malicious plugins. Systems running unconfigured or default instances of Liferay Portal are at risk. A successful exploit could result in loss of confidentiality, integrity, and availability of data stored within the portal.

2. Technical Explanation

The vulnerability occurs when Liferay Portal is deployed with its default administrative credentials ([email protected] / test). An attacker can use these known credentials to log in to the administration console and take control of the server. There are no specific CVEs associated with this general issue, but it falls under CWE-798: Use of Hardcoded Credentials. A simple example is an attacker attempting to login using ‘[email protected]’ as the username and ‘test’ as the password via the Liferay Portal web interface. Affected versions are those shipped with default credentials enabled.

Root cause: The installation of Liferay Portal includes a pre-configured administrative account with well-known credentials.
Exploit mechanism: An attacker attempts to log in using the default username and password through the standard login page.
Scope: All versions of Liferay Portal that ship with default credentials enabled are affected.

3. Detection and Assessment

You can confirm if a system is vulnerable by attempting to log in with the default credentials. A thorough method involves checking configuration files for the presence of these default settings.

Quick checks: Attempt to login using ‘[email protected]’ / ‘test’. If successful, the system is vulnerable.
Scanning: Nessus plugin ID 16238 can detect this vulnerability as an example.
Logs and evidence: Examine Liferay Portal logs for successful logins from the default account (typically located in the server’s log directory).

# No command available to directly check credentials without attempting login.

4. Solution / Remediation Steps

4.1 Preparation

Dependencies: Access to the Liferay Portal administration console is required. A roll back plan involves restoring from the backup created in preparation.
Change window needs: This change should be performed during a maintenance window as it requires restarting the server. Approval may be needed by system owners.

4.2 Implementation

Step 1: Log into the Liferay Portal administration console using the default credentials ([email protected] / test).
Step 2: Navigate to Control Panel > Users and Permissions > Users.
Step 3: Locate the ‘[email protected]’ user account.
Step 4: Edit the password for the ‘[email protected]’ account, setting a strong, unique password.
Step 5: Save the changes and log out of the administration console.

4.3 Config or Code Example

Before

# No config file example available as password is changed through UI. Default username remains [email protected]

After

# Password for user [email protected] has been updated to a strong, unique value via the Liferay Portal administration console.

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability type include least privilege and secure defaults. Implementing these practices can significantly reduce the risk of unauthorized access.

Practice 1: Least privilege – limit the permissions assigned to default accounts to only what is necessary.
Practice 2: Secure defaults – avoid shipping products with easily guessable or pre-configured credentials.

4.5 Automation (Optional)

No suitable automation script is available for this specific vulnerability due to the UI-based nature of the password change process.

5. Verification / Validation

Post-fix check: Attempt to login using ‘[email protected]’ and the *new* password. Successful login confirms the change.
Re-test: Attempt to log in using ‘[email protected]’ / ‘test’. Login should fail, indicating the issue is resolved.
Smoke test: Verify that administrative functions (e.g., adding a user) work as expected with the new credentials.
Monitoring: Monitor Liferay Portal logs for failed login attempts using the default account.

# No command available to directly check credentials without attempting login.

6. Preventive Measures and Monitoring

Baselines: Update your security baseline to require immediate password changes for any newly deployed Liferay Portal instances.
Pipelines: Add a pre-deployment check to verify that the default account has been modified or disabled.
Asset and patch process: Review configurations regularly to ensure compliance with security policies.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Forgetting the new password – document the new credentials securely and consider a password management solution.
Roll back: Restore the Liferay Portal database from the backup created prior to making changes.

8. References and Resources

Vendor advisory or bulletin: Liferay Security Bulletins
NVD or CVE entry: No specific CVE for default credentials, but see related CWEs at MITRE CWE
Product or platform documentation relevant to the fix: Liferay Portal Administration Guide

Updated on December 27, 2025

Was this article helpful?

Yes No