CVE-2022-42124 in Liferay
Summary
by MITRE • 11/15/2022
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/05/2025
The CVE-2022-42124 vulnerability represents a Regular Expression Denial of Service flaw within the LayoutPageTemplateEntryUpgradeProcess component of Liferay Portal and Liferay DXP platforms. This vulnerability exists in specific versions including Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA. The flaw manifests when a maliciously crafted payload is injected into the 'name' field of a layout prototype, allowing attackers to exploit the system's regular expression processing capabilities.
The technical implementation of this vulnerability stems from inadequate input validation and improper handling of regular expressions within the upgrade process functionality. When the system processes a layout prototype with a specially crafted name field containing malicious regular expression patterns, the processing engine becomes vulnerable to exponential backtracking behavior. This occurs because the regular expression engine attempts to match the crafted input against complex patterns, leading to massive computational overhead and resource consumption. The vulnerability is categorized under CWE-400 as an Uncontrolled Resource Consumption, specifically manifesting as a Regular Expression Denial of Service attack.
The operational impact of this vulnerability extends beyond simple resource exhaustion, creating significant security implications for affected systems. Remote attackers can leverage this flaw to perform sustained resource consumption attacks against the targeted Liferay instances, potentially leading to service disruption, system instability, and denial of service conditions. The attack vector requires minimal privileges since it targets the upgrade process functionality accessible to authenticated users or potentially unauthenticated attackers depending on system configuration. This vulnerability directly maps to ATT&CK technique T1499.004 for Network Denial of Service and T1595.001 for Network Infrastructure Tunnelling, as it exploits the underlying system resources to create service availability issues.
Mitigation strategies for CVE-2022-42124 should prioritize immediate version upgrades to patched releases of Liferay Portal and DXP platforms. Organizations should implement input sanitization measures to validate and filter all user-supplied data, particularly in fields that undergo regular expression processing. Network-level protections including rate limiting and traffic filtering can help reduce the impact of potential attacks. The vulnerability demonstrates the critical importance of proper input validation and regular security updates in enterprise portal systems. Security teams should monitor affected systems for exploitation attempts and implement comprehensive logging to detect anomalous resource consumption patterns. Additionally, organizations should conduct thorough vulnerability assessments to identify other potential regular expression processing points within their Liferay deployments that may present similar security risks.