CVE-2022-42123 The Elasticsearch Connector and Liferay DXP have a Zip Slip vulnerability. They can overwrite existing files on the filesystem.
This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. This vulnerability does not affect deployments of the Elasticsearch Connector version 5.0.0 or later. As a work-around, update to Elasticsearch Connector version 5.0.6 or later. Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin. An attacker can install a malicious plugin that allows them to overwrite existing files on the system via the installation of an Elasticsearch Sidecar plugin. This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. As a work-around, update to Elasticsearch Connector version 5.0.6 or later.
Liferay – Command Injection and SQLi
Liferay is vulnerable to SQL injection and command injection attacks. Liferay also has command injection vulnerabilities in a variety of plugins.
In this release, we've fixed a few critical issues with SQLi and command injection, including:
- A fix for the second part of a two-part command injection vulnerability in Elasticsearch Connector
- A fix to prevent an attacker from running arbitrary commands on the portal instance after exploiting an XSS vulnerability
- Fixes for S3 endpoints in Frontend Builder
Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin.
Liferay CVEs
Liferay is a comprehensive and customizable solution for enterprise content management. There are over 690 Liferay CVEs with significant impact and 700+ bugs. Some of these include:
- CVE-2018-10106: Unauthenticated file upload to /liferay/filemanager/upload, allowing access to private files
- CVE-2018-10084: Insecure permission handling in "Developer Portal" allows unauthorized access
- CVE-2017-6191: Authentication bypass through JAXWS in the default realm
The Elasticsearch connector version 5.0.6 or later fixes this vulnerability.
Liferay DXP 7.3:
Zip Slip Vulnerability
Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin. An attacker can install a malicious plugin that allows them to overwrite existing files on the system via the installation of an Elasticsearch Sidecar plugin. This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. As a work-around, update to Elasticsearch Connector version 5.0.6 or later.
Timeline
Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 15:50:00 UTC