Liferay Portal 7.4 Community Security Patch for Log4j 2

Hello all,

The easiest thing you can do to mitigate the recent vulnerabilities in Log4j is to set the JVM parameter -Dlog4j2.formatMsgNoLookups=true. While this solution is not perfect, it should provide sufficient protection given how Log4j is used in Liferay Portal.

However, based on Log4j's newest recommendation to mitigate by removing the JndiLookup class, the Community Security Team wanted to make available a binary patch where the JndiLookup class has been removed.

Download link: log4j-security-patch.zip

This patch is for Liferay Portal 7.4.3.4. If you need to patch a different version, please refer to Fabian Bouche's blog post, Log4j2 vulnerability - Fixing the jar, to create your own patch.

Liferay Portal 7.4 GA5 will include updated versions of Log4j 2. We recommend that you upgrade to Liferay Portal 7.4 GA5 whenever it becomes available.

3 Comments

Please sign in to comment.

but when is Liferay Portal 7.4 GA5 release? for some antivirus software, remove Jndilookup.class is not enough.

Please sign in to reply.

https://github.com/liferay/liferay-portal/releases

released!

Please sign in to reply.

Hello, is it possible to replace log4j in Liferay 7.2.1GA2 version with the log4j jars packaged with Liferay 7.4.3.5-ga5 ?

Under com.liferay.portal.search.elasticsearch6.impl.jar/lib , removing old log4j and copying

org.apache.logging.log4j.core-2.17.0.LIFERAY-PATCHED-1

and

org.apache.logging.log4j-2.17.0.LIFERAY-PATCHED-1

Regards,

Please sign in to reply.

Menu Display

Blogs

Category Filter

More Blog Entries

New Installers and IDE 3.9.5 GA6 Released

Remote Apps: How to use Liferay 7.4 new feature?