SB2018042602 - Multiple vulnerabilities in Liferay Enterprise Portal

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Security restrictions bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass security restrictions on the target system

The weakness exists due to multiple permission issues. A remote attacker can bypass security restrictions and perform actions on resources which they are not authorized to perform.

3) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system

The weakness exists due to password exposure in System Settings. A remote attacker can view passwords in the System Settings section of the Control Panel.

4) Disk consumption (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system

The weakness exists due to an error when using Xuggler. A remote attacker can create a large number of temporary files during video playback when Xuggler is enabled for video conversion, trigger disk consumption and cause the service to crash.

5) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to unauthorized access to system portlets/applications. A remote attacker can modify system settings to gain administration privileges.

6) Open redirect (CVE-ID: N/A)

The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.

The weakness exists due to open redirect in Asset Publisher. A remote attacker can use a specially crafted image link, trick the victim into opening it and redirect users to malicious website.

7) Information disclosure (CVE-ID: N/A)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system

The weakness exists due to insufficient input validation. A local attacker can submit specially crafted URL and access all files within the application's WAR folder.

8) Spoofing attack (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform spoofing attack.

The weakness exists due to insufficient input validation. A remote attacker can use URL manipulation in applications that support tags to spoof content and mislead users.

9) Improper input validation (CVE-ID: CVE-2017-9801)

The vulnerability allows a remote attacker to inject arbitrary files.

The weakness exists due to improper input validation flaw in the setSubject() method. A remote attacker can supply a specially crafted value containing line break characters, inject SMTP headers and perform further attack.

Remediation

Install update from vendor's website.

References

• https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapU...
• https://dev.liferay.com/web/community-security-team/known-vulnerabilities/-/asset_publisher/4AHAYapUm8Xc/content/cst-7045-smtp-header-injection-vulnerability-via-commons-email?inheritRedirect=false&redirect=https%3A%2F%2Fdev.liferay.com%2Fweb%2Fcommunity-security-team%2Fknown-vulnerabilities%3Fp_p_id%3D101_INSTANCE_4AHAYapUm8Xc%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-1%26p_p_col_pos%3D1%26p_p_col_count%3D4