Recently, a significant security vulnerability was discovered in Liferay Portal 7.. through and Liferay DXP 7. fix pack 102 and earlier versions, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA. This vulnerability, identified as CVE-2022-42132, allows a potential attacker to gain access to the LDAP credential through the page URL. This is made possible due to the 'Test LDAP Users' functionality, which exposes the credential when paginating through the list of users. Such sensitive information, when exposed, may lead to man-in-the-middle attacks or other threats to the user if an attacker obtains access to the request logs.

Code Snippet

To understand this vulnerability, let's take a look at a code snippet that illustrates the improper handling of LDAP credentials:

<a href="/test-ldap-users?p_auth=abcdef&ldapServerId=1&ldapCredential=Vl5CFgQ2Da5DDt7Tj4Bh+q==" aria-label="Next">Next</a>

As seen in the snippet above, the 'ldapCredential' is included in the URL when moving to the next page while browsing through a list of users. As a result, attackers who have access to the request logs or potential man-in-the-middle attackers can retrieve the LDAP credential quite easily.

Original References

This security vulnerability has been documented in Liferay's own security bulletin and CVE-2022-42132 on the MITRE CVE Database. It is essential to refer to these sources for detailed information on the vulnerability and the affected versions.

To exploit this vulnerability, an attacker can proceed with these steps

1. Gain access to the request logs of a vulnerable Liferay instance or position themselves as a man-in-the-middle attacker.

Extract the exposed LDAP credentials from the URLs.

4. Use these credentials to gain unauthorized access to the LDAP server, potentially compromising the users' data and enabling further attacks.

How to Mitigate

To protect your Liferay Portal or DXP instance from this vulnerability, it is strongly recommended that you perform the following steps:

1. Update to a non-vulnerable version of Liferay Portal or DXP as specified in the Liferay security bulletin:

Liferay Portal: Update to version or later

- Liferay DXP: Update to fix pack 103 for 7., fix pack 28 for 7.1, fix pack 18 for 7.2, update 5 for 7.3, or GA2 for 7.4.

Ensure that HTTPS is enabled for your Liferay instance to prevent man-in-the-middle attacks.

3. Monitor your request logs for suspicious activity and ensure that access to logs is restricted to authorized personnel.

It is crucial to keep your Liferay Portal and DXP instances updated and secured to prevent unauthorized access and protect users' data. Stay informed on any new security vulnerabilities by regularly checking official resources, such as the Liferay Security Bulletin and the MITRE, and ensure that proper security measures are implemented in your environment.


Published on: 11/15/2022 02:15:00 UTC
Last modified on: 11/17/2022 21:27:00 UTC