Bem-vindo à Nova Experiência do Portal do Cliente Liferay!
Concluímos recentemente a migração para o novo Portal do Cliente e para a experiência de tickets de suporte. Explore a página inicial e o menu superior para acessar todas as ferramentas e recursos disponíveis. Por favor, observe:
Chamados em andamento: Os tickets que estavam em andamento antes da migração podem ser encontrados clicando em Meus Tickets na página inicial ou no menu Suporte.
Novos chamados de suporte: Para criar um novo chamado, clique em Abrir um Ticket na página inicial ou no menu Suporte.
Caso encontre qualquer dificuldade ao registrar chamados no novo sistema, entre em contato conosco via: support.liferay.com/callback-request

Security

Voltar para Security Alert

Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Vulnerabilities Summary

Critical vulnerabilities were identified in Log4j 2.0+ that give attackers complete control of a vulnerable application. There were 3 CVEs filled for these vulnerabilities:

CVE-2021-44228 - RCE via Log4j log messages (Log4j version 2)
CVE-2021-4104 - RCE via Log4j configuration file in (Log4j version 1)
CVE-2021-45046 - DoS via special Log4j configuration file and extended use of Log4j (Log4j version 2)

Liferay DXP 7.4 is impacted by (1) CVE-2021-44228, as announced in a previous update. No other Liferay DXP version is vulnerable to any of the CVEs published.

Detailed information

CVE-2021-44228 was announced previously, only DXP 7.4 uses Log4j2 in a vulnerable configuration that can be exploited. Other versions are not exploitable.

CVE-2021-4104 requires an attacker to have write access to the log4j.xml or log4j.properties configuration file. In Liferay DXP no user has access to write files on disk.

CVE-2021-45046 requires an application to use a special log4j configuration logging syntax and to store user-supplied input into Log4j Thread Context Map. Liferay DXP does not use the mentioned Log4j configuration syntax and does not save user-supplied input into Log4j Thread Context Map or any other related classes and contexts.

How can I mitigate my exposure?

To mitigate CVE-2021-44228 it’s recommended to add the following JVM option to your start-up parameters:

-Dlog4j2.formatMsgNoLookups=true

For peace of mind we recommend removing JndiLookup.class from any log4j JAR files. Be aware this mitigation can have side effects and should be tested in customer specific environments.

There is no need to mitigate CVE-2021-4104. For peace of mind we recommend removing JMSAppender.class from any log4j JAR files or disabling write permission to Liferay DXP JVM classpath directories, if possible. Be aware this mitigation can have side effects and should be tested in customer specific environments.

There is no need to mitigate CVE-2021-45046. For peace of mind we recommend removing JndiLookup.class from any log4j JAR files. Be aware this mitigation can have side effects and should be tested in customer specific environments.

Will there be a formal fix for this issue?

Log4j libraries will be upgraded in the product to a non-vulnerable version in a next fix pack / update.

Customers with further concerns can ask for a hotfix by creating a support ticket.

On this page

Primeiros passos

Ajuda do Portal do Cliente

Liferay Learn

Artigos de instruções

Visão geral de segurança

Relatórios de segurança

Release Notes

Atualizações do Portal do Cliente

Downloads

Meus tickets

Abrir um ticket

Escalar um ticket

Cobertura de suporte

Serviços e Compatibilidade

Fale conosco

Eventos para clientes