External risk intelligence

Liferay Portal DXP SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-42120

Liferay Portal and DXP are widely deployed as internet-facing web portals, content management systems, and enterprise application platforms. Because these products are commonly exposed to the internet to serve public web content and user-facing applications, this vulnerability in the core portal framework is likely to be reachable from the internet in common deployments.

SQL Injection

Liferay Dxp

7.37.47.3.3 to 7.4.3.16

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical SQL injection vulnerability found in Liferay Portal and DXP. The flaw could allow unauthenticated attackers to execute arbitrary SQL commands, potentially impacting data integrity and system availability. The main concern is confirming relevance and exposure to Liferay products within our environment.

  • SQL injection allows attackers to run commands.
  • Critical flaw affects widely used Liferay products.
  • Confirm if Liferay products are in use.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to the Liferay Portal or DXP. Since no authentication is required, an attacker could target any exposed instance. The vulnerability lies within the Fragment module, specifically in how it handles the `namespace` attribute of `PortletPreferences`. Successful exploitation allows an attacker to inject and execute arbitrary SQL commands, potentially leading to the compromise of sensitive data or the modification of database content.

  • No authentication required to access.
  • Triggered via `PortletPreferences` `namespace` attribute.
  • Risk: Arbitrary SQL command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary SQL commands by manipulating a `namespace` attribute within PortletPreferences. When this attribute is not properly sanitized, it could lead to unauthorized access and modification of the underlying database.

  • Sensitive database information.
  • SQL injection via `namespace` attribute.
  • Compromise of data integrity and availability.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability impacts Liferay Portal and DXP installations, potentially allowing attackers to execute arbitrary SQL commands. The first practical step involves identifying all instances of the affected Liferay technology, determining their business criticality and external reachability, and then locating the accountable owners to plan remediation.

  • Assign ownership to Liferay administrators.
  • Verify external reachability and business criticality.
  • Plan remediation with the vendor.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Liferay Portal and DXP?

Liferay Portal and DXP are enterprise-grade platforms used to build web portals, content management systems, and custom applications. They function as a centralized hub where organizations host public-facing websites, internal dashboards, and digital services, often integrating various data sources and user workflows into a single interface.

What does SQL injection mean for CVE-2022-42120?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. It means the software fails to properly filter input before using it in a database query. In this specific case, the flaw allows unauthorized parties to submit their own SQL commands, which the system then inadvertently executes, potentially granting them control over the application's database.

How is this Liferay SQL injection triggered?

The vulnerability is triggered when a specially crafted request targets the Fragment module by manipulating the 'namespace' attribute within 'PortletPreferences'. It requires no user authentication to initiate. Simply interacting with standard, non-Fragment portal features or navigating to pages that do not utilize this specific attribute does not trigger the underlying flaw.

Is my instance at risk if it is internal?

While the risk is highest for internet-facing systems, it is not limited to them. Halo Surface Signal notes that because Liferay is frequently deployed as a public-facing portal, this vulnerability is often reachable from the internet. However, any internal instance reachable by users or systems within your network could also be a target, making it important to assess all deployments regardless of their network placement.

What should I do first to address this?

Begin by creating a comprehensive inventory of all Liferay Portal and DXP instances currently running in your environment. Once identified, determine the business criticality of each instance and verify if it is reachable from the internet. Finally, coordinate with your system administrators to confirm which specific versions are in use and prepare to follow the official vendor guidance for applying the necessary updates.

References