CVE-2022-42124

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.4 Liferay DXP versions 7.2 fix pack 9 through fix pack 18 Liferay DXP version 7.3 before update 4 Liferay DXP version 7.4 GA

Description A ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the name field of a layout prototype.

Recommendations For Liferay Portal versions 7.3.2 through 7.4.3.4, update to a version outside of this range to mitigate the risk. For Liferay DXP versions 7.2 fix pack 9 through fix pack 18, update to a version outside of this range or apply update 4 or later for version 7.3. For Liferay DXP version 7.3 before update 4, apply update 4 or later. For Liferay DXP version 7.4 GA, consider disabling the LayoutPageTemplateEntryUpgradeProcess until a patch is available. As a temporary workaround, consider restricting access to the name field of a layout prototype to minimize the risk of exploitation.