CVE-2021-33323
📋 TL;DR
This vulnerability in Liferay Portal's Dynamic Data Mapping module allows unauthenticated remote attackers to view form values that were autosaved by other users. It affects Liferay Portal 7.1.0 through 7.3.2 and Liferay DXP 7.1 before fix pack 19 and 7.2 before fix pack 7.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive information submitted through forms (such as personal data, credentials, or confidential business information) could be exposed to unauthorized parties.
Likely Case
Exposure of form data containing personal identifiable information, internal data, or other sensitive information submitted by users.
If Mitigated
Limited exposure of non-sensitive form data with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - attackers simply need to access forms that have been autosaved by other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.3.3+; Liferay DXP 7.1 fix pack 19+; Liferay DXP 7.2 fix pack 7+
Vendor Advisory: https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107
Restart Required: Yes
Instructions:
1. Download the appropriate fix pack or update from Liferay's official portal. 2. Apply the patch according to Liferay's update procedures. 3. Restart the Liferay server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Dynamic Data Mapping Autosave
allDisable the autosave functionality for forms in the Dynamic Data Mapping module configuration.
Navigate to Control Panel > Configuration > System Settings > Dynamic Data Mapping > Forms > Disable 'Auto Save' setting
Restrict Form Access
allConfigure forms to require authentication before allowing form submissions or viewing.
Set appropriate permissions in Control Panel > Site Administration > Content > Forms > Permissions
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Liferay forms from untrusted networks
- Enable detailed logging for form access and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Liferay version in Control Panel > Server Administration > Properties > liferay.versionCheck Version:
Check liferay.version property in portal-ext.properties or via Control PanelVerify Fix Applied:
Verify version is updated to non-vulnerable version and test form autosave functionality with unauthenticated access📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to form endpoints
- Access to form data by IPs not associated with legitimate users
Network Indicators:
- Unusual patterns of form submissions from unauthenticated sources
- Traffic to form endpoints without authentication headers
SIEM Query:
source_ip NOT IN (authenticated_users) AND uri CONTAINS '/dynamic-data-mapping-form' AND response_code=200🔗 References
- https://issues.liferay.com/browse/LPE-17049
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107
- https://issues.liferay.com/browse/LPE-17049
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747107
