Hey folks, today we will discuss a new vulnerability that affects Liferay Portal and Liferay DXP platforms. Liferay, an open-source portal software, is widely used to build modern web applications and web content management systems.

The vulnerability in question has been assigned CVE-2022-42124 and it affects the "LayoutPageTemplateEntryUpgradeProcess" component in:

Liferay DXP 7.4 GA

This vulnerability is classified as a ReDoS (Regular Expression Denial of Service) problem that allows a remote attacker to consume an excessive amount of server resources using a crafted payload in the 'name' field of a layout prototype.

Code Snippet

The issue has been identified in the "LayoutPageTemplateEntryUpgradeProcess" component. While processing the 'name' field of a layout prototype, a vulnerable regular expression is used, which can be exploited to cause server resource exhaustion. Below is the vulnerable code snippet:

String name = layoutPrototype.getName(locale);
Pattern pattern = Pattern.compile("[^a-zA-Z-9_-]");
Matcher matcher = pattern.matcher(name);
String friendlyUrl = matcher.replaceAll(StringPool.BLANK).toLowerCase();

In this code, the regular expression "[^a-zA-Z-9_-]" is prone to ReDoS attacks when given a specially crafted input string.

Exploit Details

An attacker can exploit this vulnerability by sending a specially crafted payload in the 'name' field of a layout prototype, causing the server to execute an expensive regular expression operation and consume excessive resources, leading to a Denial of Service (DoS) condition.

An example of a crafted payload that can trigger this vulnerability is a long sequence of characters not matching the vulnerable regular expression (e.g., a large string of non-alphanumeric characters). This would lead to excessive backtracking when processing the regular expression, causing the server to hang or crash.

Mitigation

Liferay has released patches to address this vulnerability. Affected users are advised to apply the following updates according to their Liferay version:

Liferay DXP 7.4 GA: Update to 7.4.3.5

You can find these updates and more information on the Liferay website: https://www.liferay.com/

References

1. Original Liferay Security Advisory
2. NVD CVE-2022-42124
3. Liferay Portal Homepage
4. Liferay DXP Homepage

Please ensure to update your Liferay Portal and Liferay DXP installations to protect from this ReDoS vulnerability. Make sure to follow best practices for securing your web applications to protect against various types of security threats.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 16:37:00 UTC