External risk intelligence

Liferay Friendly Url Module SQL Injection

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-42122

Liferay Portal and DXP are enterprise content management and web application platforms frequently deployed as public-facing web portals, making their URL handling modules and web interfaces common targets reachable from the internet.

SQL Injection

Liferay Dxp

7.37.3.7

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a SQL injection flaw within a specific module that handles web addresses, potentially allowing unauthorized access to execute database commands. The main concern is to confirm if our organization utilizes the affected technology, as its presence could lead to significant data compromise or system disruption.

  • Allows unauthorized database commands.
  • Affects web address handling, potentially exposing data.
  • Confirm relevance and scope of affected systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a Liferay Portal or DXP instance. The request would target the Friendly Url module, specifically injecting malicious SQL commands into the `title` field of a friendly URL. This could lead to an attacker executing arbitrary SQL commands on the affected system.

  • No authentication or user interaction needed.
  • Injecting SQL into a friendly URL title.
  • Arbitrary SQL command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary SQL commands by injecting malicious input into the `title` field of a friendly URL. This could lead to unauthorized access to or manipulation of the underlying database.

  • Database integrity and confidentiality.
  • Via crafted URL `title` field.
  • Data corruption or unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Liferay Portal and DXP, likely managed by platform or infrastructure teams responsible for web application hosting. The immediate priority is to identify all deployments of the affected technology, confirm their exposure and criticality, and then assign ownership for a risk-based remediation plan, coordinating with any relevant vendor management teams.

  • Platform or infrastructure teams own remediation.
  • Verify internet-facing and critical instances.
  • Plan remediation based on risk and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Liferay Portal and DXP?

Liferay Portal and DXP are enterprise software platforms used to build websites, intranets, and digital portals. They provide frameworks for managing web content and user experiences. The vulnerability affects the Friendly Url module, a component that helps convert complex system links into more readable, human-friendly web addresses.

What is the vulnerability in CVE-2022-42122?

This is a SQL injection vulnerability, identified as CWE-89. In simple terms, the software fails to properly filter user-supplied data in a specific URL field. An attacker can use this oversight to insert their own database commands, which the system then accidentally executes, potentially granting unauthorized access to the underlying information stored in the database.

How does an attacker trigger this SQL injection?

An attacker triggers the vulnerability by sending a specially crafted request that contains malicious SQL code within the 'title' field of a Friendly URL. It is important to note that this flaw does not require the attacker to be logged into the system or have any prior user interaction; the system processes the malicious command automatically upon receiving the manipulated web request.

Is my organization at risk from CVE-2022-42122?

Halo Surface Signal indicates that Liferay Portal and DXP instances are often deployed as public-facing web portals, which makes them reachable from the internet. If you run the affected versions of this software in an environment that is accessible to outside traffic, your infrastructure is considered a likely target because the vulnerability can be reached remotely without authentication.

What should I do if I run Liferay software?

Your first step is to inventory your environment to identify any deployments of the specific Liferay DXP or Portal versions mentioned in the advisory. Once identified, prioritize these instances based on whether they are internet-facing or hold sensitive data. Coordinate with your infrastructure or platform teams to review vendor-provided updates and establish a plan to secure your database and application settings.

References