The Time Bomb in the Schema: Liferay Upgrade SQL Injection
Vulnerability ID: CVE-2023-33945
CVSS Score: 6.4
Published: 2023-05-24
A high-complexity but devastating SQL injection vulnerability in the Liferay Portal/DXP upgrade process allows attackers to plant malicious payloads in database metadata (primary keys), which are then executed with elevated privileges during system upgrades.
TL;DR
Liferay's upgrade tool for MS SQL Server trusts database metadata blindly. If an attacker can rename a Primary Key constraint to contain malicious SQL, the upgrade script—running with high privileges—will execute it. It's a classic 'Second-Order' SQL injection turned into a persistence time bomb.
Technical Details
- CWE ID: CWE-89 (Improper Neutralization of Special Elements in SQL Command)
- Attack Vector: Network (Context Dependent)
- CVSS v3.1: 6.4 (Medium)
- Impact: Critical (RCE/DBA via Upgrade)
- EPSS Score: 0.00282 (Low Probability)
- Exploit Status: No Public PoC / Weaponized Exploit
Affected Systems
- Liferay Portal (7.3.1 - 7.4.3.17)
- Liferay DXP 7.3 (< Update 6)
- Liferay DXP 7.4 (< Update 18)
- Microsoft SQL Server (Database Backend)
-
Liferay Portal: >= 7.3.1, <= 7.4.3.17 (Fixed in:
7.4.3.18) -
Liferay DXP 7.3: < Update 6 (Fixed in:
Update 6) -
Liferay DXP 7.4: < Update 18 (Fixed in:
Update 18)
Mitigation Strategies
- Input Validation of Database Metadata
- Principle of Least Privilege for Upgrade Accounts
- Schema Auditing before Maintenance
Remediation Steps:
- Upgrade Liferay Portal to 7.4.3.18 or later.
- Upgrade Liferay DXP 7.3 to Update 6 or later.
- Upgrade Liferay DXP 7.4 to Update 18 or later.
- Run the provided SQL audit query to detect existing malicious constraint names.
References
Read the full report for CVE-2023-33945 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)