CVE-2022-42120 - SQL Injection Vulnerability Found in Liferay Portal and DXP, Allowing Attackers to Execute Arbitrary SQL Commands

A recently discovered vulnerability in the popular Liferay Portal and Liferay DXP platforms, known as CVE-2022-42120, allows attackers to execute arbitrary SQL commands by exploiting the namespace attribute of a PortletPreferences object in the Fragment module. This vulnerability affects Liferay Portal versions 7.3.3 through 7.4.3.16 and Liferay DXP 7.3 before update 4 and 7.4 before update 17. In this post, we delve into the details of this vulnerability, provide code snippets that highlight the affected section, and share resources for further reading and understanding.

The Vulnerability

CVE-2022-42120 is a SQL injection vulnerability, which means that it allows attackers to execute arbitrary SQL commands by injecting their malicious SQL code through the Fragment module in Liferay Portal and Liferay DXP. The affected attribute is the namespace of a PortletPreferences object.

Here is a code snippet to illustrate the issue

public class FragmentEntryLinkLocalServiceImpl extends FragmentEntryLinkLocalServiceBaseImpl {

  // ...

  @Override
  public FragmentEntryLink addFragmentEntryLink(
      long groupId, long plid, long fragmentEntryId, long fragmentCollectionId, String namespace,
      String css, String html, String js, String configuration,
      Map<Long, String> editableValues, String rendererKey, int position, ServiceContext serviceContext)
      throws PortalException {

    // ...

    PortletPreferences portletPreferences = getPortletPreferences(namespace);
    // SQL injection can occur here:
    String sql = "SELECT * FROM portletPreferences where namespace = '" + namespace + "'";

    // ...
  }
}

In the code snippet above, an attacker could manipulate the namespace parameter to insert malicious SQL code. This could lead to data leakage, data corruption, or unauthorized access to sensitive information.

Original References

The official CVE entry with detailed information on the vulnerability can be found at CVE-2022-42120.

The Liferay Portal project's official announcement of the vulnerability can be found at Liferay Security Announcement.

The Liferay DXP project's official notification on the vulnerability can be found at Liferay DXP Security Bulletin.

Exploit Details

To exploit this vulnerability, an attacker could manipulate the namespace attribute of a PortletPreferences object, injecting their malicious SQL code. Depending on the attacker's intentions and the specific SQL command used, this exploit could result in various potential outcomes such as unauthorized data access, data corruption, or even control over the entire system in some cases.

It is important to note that while an attacker may need some knowledge of the Liferay Portal or Liferay DXP system to craft a successful exploit, CVE-2022-42120 is still a critical issue considering its potential impact.

Conclusion

To protect against CVE-2022-42120, Liferay Portal and Liferay DXP administrators should update to the latest compatible version of their respective platform. Specifically, this entails updating Liferay Portal to version 7.4.3.16 or later and updating Liferay DXP to update 4 or later in version 7.3 and update 17 or later in version 7.4.

As always, staying informed about security issues and applying patches and updates in a timely manner is critical in maintaining your system's security.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 14:50:00 UTC