CVE-2022-42131

Vulnerability

Overview

The Dynamic Data Mapping module's REST data providers in certain Liferay products fail to validate SSL certificates during HTTPS connections [1]. This missing validation affects Liferay Portal versions 7.1.0 through 7.4.2 and Liferay DXP versions 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 [1]. The flaw resides in the module responsible for fetching external data via REST APIs, where the client does not verify the authenticity of the server's certificate.

Exploitation

Prerequisites

An attacker must be in a position to intercept network traffic between the affected Liferay instance and the external REST data provider [1]. This could be achieved through a man-in-the-middle (MITM) attack on the network path, such as on a compromised network segment or via DNS spoofing. No authentication is required to trigger the vulnerable functionality; any user or process that invokes a REST data provider is affected.

Impact

Successful exploitation allows an attacker to impersonate the legitimate REST data provider, potentially injecting malicious data into the Liferay system or exfiltrating sensitive information sent in requests [1]. The integrity and confidentiality of data exchanged through the Dynamic Data Mapping module are compromised, which could lead to further attacks depending on how the fetched data is used within the portal.

Mitigation

Liferay has addressed this vulnerability in the following releases: Liferay Portal 7.4.3 and later, Liferay DXP 7.1 fix pack 27, 7.2 fix pack 17, and 7.3 service pack 3 [1]. Users should upgrade to these fixed versions or apply the appropriate patches. No workaround is documented; enabling SSL certificate validation is inherent to the fix. The vendor's official site provides product information and update guidance [2].