Liferay Portal is a popular open-source digital experience software, widely used for portals, intranets, and websites. But in 2022, security researchers discovered a worrying flaw—CVE-2022-42120—that affected thousands of deployments worldwide. Let's break down what this vulnerability is, how it works, and how you can spot or test for it.
What Is CVE-2022-42120?
CVE-2022-42120 is a *SQL Injection vulnerability* lurking in the "Fragment" module of Liferay Portal (versions 7.3.3 through 7.4.3.16) and Liferay DXP (7.3 before update 4, 7.4 before update 17). In simple terms, a vulnerable part of Liferay’s code let users inject and run their own SQL commands, which could steal or destroy data.
Here’s the main problem:
The vulnerability appears in the handling of the namespace attribute in PortletPreferences. When untrusted user input was not properly escaped in SQL queries, attackers could add malicious SQL code.
How Does the Exploit Work?
The *Fragment module* receives input from web users in the form of PortletPreferences. When it loaded or saved these settings, it used the namespace attribute directly in an SQL query—without proper filtering or escaping.
If someone could change the namespace value (e.g., via an HTTP request or crafted payload), they could sneak SQL commands into the query.
The impact is severe:
Example: Exploiting the Vulnerability
Let’s look at a simplified version of the vulnerable SQL code (not the real code, but a realistic example):
// BAD (vulnerable) code
String sql = "SELECT * FROM PortletPreferences WHERE namespace = '" + namespace + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(sql);
Suppose namespace is supplied by the user. An attacker could send
namespace=foo' OR '1'='1
Now, the SQL becomes
SELECT * FROM PortletPreferences WHERE namespace = 'foo' OR '1'='1'
This will return all records because '1'='1' is always true.
It can get much worse if the attacker adds more evil SQL code; with certain databases, this can even modify or delete data.
Here’s how an attacker might exploit this flaw using a direct HTTP request
Step 1: Find a Liferay page that handles PortletPreferences (you may need authentication if not public)
Step 2: Intercept a request (via Burp Suite, Postman, etc.) that submits or updates portlet namespaces
Step 3: Modify the payload
POST /o/fragment-portlet-preferences HTTP/1.1
Host: target.liferay.com
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=...
namespace=foo'%20OR%20'1'%3D'1
Step 4: Observe the application crashing, leaking data it shouldn’t, or acting strangely.
Detecting & Mitigating
1. Check Your Version:
Are you using Liferay 7.3.3 - 7.4.3.16 or DXP 7.3 (< update 4), 7.4 (< update 17)?
If yes, you are vulnerable!
2. Audit Your Logs:
Look for odd entries around the Fragment module, especially requests with suspicious namespace values.
3. Upgrade Immediately:
Apply the official patches provided by Liferay
- Liferay Portal 7.3.3 through 7.4.3.16
4. Implement Web Application Firewalls (WAF)
WAFs can block common SQL injection patterns.
Fixing the Code
The secure way is to use parameterized queries:
Here’s what that would look like in Java
String sql = "SELECT * FROM PortletPreferences WHERE namespace = ?";
PreparedStatement stmt = connection.prepareStatement(sql);
stmt.setString(1, namespace);
ResultSet rs = stmt.executeQuery();
In this version, the user input cannot break out and modify the query logic.
References
- Liferay Security Advisory for CVE-2022-42120
- NIST CVE details
- OWASP: SQL Injection
Conclusion
CVE-2022-42120 is a classic case of what happens when user input meets careless SQL queries. Luckily, Liferay patched it quickly— but anyone still on old versions is open to attack. If you build or run Liferay portals, always keep your software up to date, and never trust user input in database queries!
Need help patching, or have questions about Liferay security? <br>Drop a note below!
*Stay safe, keep your data protected, and patch often.*
Timeline
Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 14:50:00 UTC