CVE-2022-42123 The Elasticsearch Connector and Liferay DXP have a Zip Slip vulnerability. They can overwrite existing files on the filesystem.

This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. This vulnerability does not affect deployments of the Elasticsearch Connector version 5.0.0 or later. As a work-around, update to Elasticsearch Connector version 5.0.6 or later. Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin. An attacker can install a malicious plugin that allows them to overwrite existing files on the system via the installation of an Elasticsearch Sidecar plugin. This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. As a work-around, update to Elasticsearch Connector version 5.0.6 or later.

Liferay – Command Injection and SQLi

Liferay is vulnerable to SQL injection and command injection attacks. Liferay also has command injection vulnerabilities in a variety of plugins.
In this release, we've fixed a few critical issues with SQLi and command injection, including:
- A fix for the second part of a two-part command injection vulnerability in Elasticsearch Connector
- A fix to prevent an attacker from running arbitrary commands on the portal instance after exploiting an XSS vulnerability
- Fixes for S3 endpoints in Frontend Builder

Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin.

Liferay CVEs

Liferay is a comprehensive and customizable solution for enterprise content management. There are over 690 Liferay CVEs with significant impact and 700+ bugs. Some of these include:
- CVE-2018-10106: Unauthenticated file upload to /liferay/filemanager/upload, allowing access to private files
- CVE-2018-10084: Insecure permission handling in "Developer Portal" allows unauthorized access
- CVE-2017-6191: Authentication bypass through JAXWS in the default realm

The Elasticsearch connector version 5.0.6 or later fixes this vulnerability.

Liferay DXP 7.3:

Zip Slip Vulnerability
Liferay DXP 7.3 before update 6, and 7.4 before update 19 are vulnerable to Zip Slip vulnerability due to a change in the installation script of certain Elasticsearch Sidecar plugin. An attacker can install a malicious plugin that allows them to overwrite existing files on the system via the installation of an Elasticsearch Sidecar plugin. This can be exploited after a user clicks the ‘Add new data source’ button in Portal, or in DXP to overwrite existing files with attacker-controlled content. As a work-around, update to Elasticsearch Connector version 5.0.6 or later.

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 15:50:00 UTC

References

• http://liferay.com
• https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-42123
• https://issues.liferay.com/browse/LPE-17518
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42123