Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-4104 
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45105

Executive Summary

A few critical flaws were announced in Log4j & Log4j2 versions from Dec 10th to Dec 18th. Liferay identified that only the 7.4 versions of Liferay Portal or DXP are vulnerable to the referenced advisories, namely to CVE-2021-44228.

For more information please see detailed Liferay advisories  at https://help.liferay.com/hc/en-us/sections/360002102392-Security-Alert

Liferay DXP

Log4j2 libraries were replaced with Reload4j in the product. Customers can either request a patch with this change or update to the next release (7.3 SP4 & all other versions TBD).

Customers should not attempt to update Log4j[1] to 2.17.1 as it requires code changes and a recompile, which nullifies the support of Log4j.

Elasticsearch / Liferay Enterprise Search Customers

Elasticsearch downloads for versions 7.16.2 and 6.8.22 are now available. These releases include the most recent version of Log4j (2.17.0).

Please reference this LES advisory article for more details and ongoing updates.

Customers on Solr

Solr 8.11.x is now added as compatible on the Search Engine Compatibility Matrix for Liferay DXP 7.1-7.3.