¡Te damos la bienvenida a la nueva experiencia del Portal del cliente de Liferay!
Acabamos de completar la migración al nuevo Portal del cliente y gestión de tickets de soporte. Navega por la página de incio y el menú superior para conocer todos los recursos y herramientas a tu alcance. Ten en cuenta:
Peticiones en marcha: Puedes encontrar los tickets de soporte que tenías en marcha antes de la migración haciendo click en Mis tickets desde la página de inicio o desde el menú desplegable de Soporte.
Peticiones nuevas de soporte: Puedes crear un nuevo ticket de soporte haciendo click en Crear un ticket desde la página de inicio o desde el menú desplegable de Soporte.
Si encuentras cualquier problema para crear nuevos tickets al Soporte de Liferay en el nuevo sistema, contáctanos mediante support.liferay.com/callback-request.

Security

Volver a Security Alert

Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Vulnerabilities Summary

Critical vulnerabilities were identified in Log4j 2.0+ that give attackers complete control of a vulnerable application. There were 3 CVEs filled for these vulnerabilities:

CVE-2021-44228 - RCE via Log4j log messages (Log4j version 2)
CVE-2021-4104 - RCE via Log4j configuration file in (Log4j version 1)
CVE-2021-45046 - DoS via special Log4j configuration file and extended use of Log4j (Log4j version 2)

Liferay DXP 7.4 is impacted by (1) CVE-2021-44228, as announced in a previous update. No other Liferay DXP version is vulnerable to any of the CVEs published.

Detailed information

CVE-2021-44228 was announced previously, only DXP 7.4 uses Log4j2 in a vulnerable configuration that can be exploited. Other versions are not exploitable.

CVE-2021-4104 requires an attacker to have write access to the log4j.xml or log4j.properties configuration file. In Liferay DXP no user has access to write files on disk.

CVE-2021-45046 requires an application to use a special log4j configuration logging syntax and to store user-supplied input into Log4j Thread Context Map. Liferay DXP does not use the mentioned Log4j configuration syntax and does not save user-supplied input into Log4j Thread Context Map or any other related classes and contexts.

How can I mitigate my exposure?

To mitigate CVE-2021-44228 it’s recommended to add the following JVM option to your start-up parameters:

-Dlog4j2.formatMsgNoLookups=true

For peace of mind we recommend removing JndiLookup.class from any log4j JAR files. Be aware this mitigation can have side effects and should be tested in customer specific environments.

There is no need to mitigate CVE-2021-4104. For peace of mind we recommend removing JMSAppender.class from any log4j JAR files or disabling write permission to Liferay DXP JVM classpath directories, if possible. Be aware this mitigation can have side effects and should be tested in customer specific environments.

There is no need to mitigate CVE-2021-45046. For peace of mind we recommend removing JndiLookup.class from any log4j JAR files. Be aware this mitigation can have side effects and should be tested in customer specific environments.

Will there be a formal fix for this issue?

Log4j libraries will be upgraded in the product to a non-vulnerable version in a next fix pack / update.

Customers with further concerns can ask for a hotfix by creating a support ticket.

On this page

Cómo empezar

Ayuda del Portal del cliente

Liferay Learn

Artículos prácticos

Visión general de seguridad

Informes de seguridad

Release Notes

Actualizaciones del Portal del cliente

Descargas

Mis tickets

Abre un ticket

Escala un ticket

Cobertura de soporte

Servicios y compatibilidad

Contáctanos

Eventos de cliente