Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-45105

Vulnerability Summary

There is a new vulnerability CVE-2021-45105 impacting Log4j version 2. It is fixed in version 2.17.0 to better address a DoS vulnerability that was not fully fixed in the previous CVE-2021-45046. Default Liferay DXP and Liferay Portal bundles are not exploitable to this new vulnerability, DXP and Portal version 7.4 are vulnerable only to the first CVE-2021-44228.

Detailed information

CVE-2021-45105 is an additional fix for CVE-2021-45046. There is a possibility of infinite recursion loop when an attacker uses a reference that substitutes to itself. This can lead to StackOverflowError and in an edge case to consume all JVM threads and exit JVM. 

The exploitation conditions are the same as are in the previous CVE-2021-45046. An application to use a special log4j configuration logging syntax and to store user-supplied input into Log4j Thread Context Map. Liferay DXP does not use the mentioned Log4j configuration syntax and does not save user-supplied input into Log4j Thread Context Map or any other related classes and contexts as visible in https://github.com/liferay/liferay-portal/blob/7.4.x/portal-impl/src/com/liferay/portal/log/Log4jLogImpl.java.

How can I mitigate my exposure?

There is no need to mitigate CVE-2021-45105. For peace of mind we recommend removing JndiLookup.class from any log4j JAR files: https://liferay.dev/blogs/-/blogs/log4j2-vulnerability-fixing-the-jar.

Be aware this mitigation can have side effects and should be tested in customer specific environments.

Will there be a formal fix for this issue?

Log4j libraries will be upgraded in the product to a non-vulnerable version in the next fix pack / update.

Customers with further concerns can ask for a hotfix by creating a support ticket.