Blogs

Blogs

Liferay Portal 7.4 Community Security Patch for Log4j 2

Hello all,

The easiest thing you can do to mitigate the recent vulnerabilities in Log4j is to set the JVM parameter -Dlog4j2.formatMsgNoLookups=true. While this solution is not perfect, it should provide sufficient protection given how Log4j is used in Liferay Portal.

However, based on Log4j's newest recommendation to mitigate by removing the JndiLookup class, the Community Security Team wanted to make available a binary patch where the JndiLookup class has been removed.

Download link: log4j-security-patch.zip

This patch is for Liferay Portal 7.4.3.4. If you need to patch a different version, please refer to Fabian Bouche's blog post, Log4j2 vulnerability - Fixing the jar, to create your own patch.

Liferay Portal 7.4 GA5 will include updated versions of Log4j 2. We recommend that you upgrade to Liferay Portal 7.4 GA5 whenever it becomes available.

Hello, is it possible to replace log4j in Liferay 7.2.1GA2 version with the log4j jars packaged with Liferay 7.4.3.5-ga5 ? 

Under com.liferay.portal.search.elasticsearch6.impl.jar/lib , removing old log4j and copying 

org.apache.logging.log4j.core-2.17.0.LIFERAY-PATCHED-1

and 

org.apache.logging.log4j-2.17.0.LIFERAY-PATCHED-1

 

Regards,