Bem-vindo à Nova Experiência do Portal do Cliente Liferay!
Concluímos recentemente a migração para o novo Portal do Cliente e para a experiência de tickets de suporte. Explore a página inicial e o menu superior para acessar todas as ferramentas e recursos disponíveis. Por favor, observe:
Chamados em andamento: Os tickets que estavam em andamento antes da migração podem ser encontrados clicando em Meus Tickets na página inicial ou no menu Suporte.
Novos chamados de suporte: Para criar um novo chamado, clique em Abrir um Ticket na página inicial ou no menu Suporte.
Caso encontre qualquer dificuldade ao registrar chamados no novo sistema, entre em contato conosco via: support.liferay.com/callback-request

Security

Voltar para Security Alert

Update: Log4j Security Advisory

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Log4j 2.0+, CVE-2021-44228

Vulnerability Summary

On Dec. 9, 2021 a critical vulnerability was identified in Log4j 2.0+. Log4j is a Java logging library used by many Java based applications worldwide.

It is important to note that not all customers are affected by this vulnerability. Please read the details below to determine whether or not you are impacted by this security issue.

What is the concern?

The primary concern is that the vulnerability could be used via a simple HTTP request. In some cases the vulnerability is believed to provide attackers with the opportunity to execute program code remotely. Liferay recommends all customers take immediate steps to address the issue.

How is Liferay impacted?

Liferay 7.3 and lower use an older version of Log4j that does not expose this vulnerability. However, the majority of Liferay customers also leverage Elasticsearch, which uses the affected Log4j library for its logging. In general, a dedicated Elasticsearch cluster being used by Liferay is not publicly exposed, which means that access to the search infrastructure is proxied through Liferay functionality. In this standard configuration of Liferay, the affected library exists, but it is highly unlikely that the vulnerability could be leveraged by an attacker, and thus the risk of exposure is low.

How can I mitigate my exposure?

This vulnerability only directly exposes customers using DXP Portal version 7.4 GA1. However, in order to mitigate potential use of the affected library in custom code, Liferay recommends that all customers add the following JVM option to your start-up parameters:

-Dlog4j2.formatMsgNoLookups=true

This preventative measure will help to mitigate risk of exposure due to an environment having been changed from the Liferay stock bundle configuration, or any plug-in that may be utilizing Log4j 2.0+.

Will there be a formal fix for this issue?

There is no formal patch expected from Liferay at this time. Elasticsearch is working on changes to address the vulnerability in their product and any fixes they provide will be included in the next fixpack/update.

What if I am a Liferay SaaS customer?

Liferay SaaS applications and infrastructure are not impacted by the vulnerability, however it is Liferay’s position that all customers should follow any instructions provided by Elasticsearch as well as modify their JVM parameters as outlined above.

Questions?

Have more questions about the vulnerability? Don’t hesitate to reach out to Liferay Support or your Customer Success Manager.

On this page

Primeiros passos

Ajuda do Portal do Cliente

Liferay Learn

Artigos de instruções

Visão geral de segurança

Relatórios de segurança

Release Notes

Atualizações do Portal do Cliente

Downloads

Meus tickets

Abrir um ticket

Escalar um ticket

Cobertura de suporte

Serviços e Compatibilidade

Fale conosco

Eventos para clientes