Blogs

As the entire Java world, yesterday we've also been hastily going through all our systems, looking for this bug :) I think it's worth noting that the only affected Liferay version is 7.4 (and above). All versions below are still using log4j 1.x so they are not vulnerable (confirmed by Liferay support).

Thanks a lot for posting here !!!

Thanks mate.

Thanks, changes applied. It would be great to know how a patch from the log4j library can be applied to a Liferay CE release.

Thanks David for this update. In Liferay 7.3.x, in the bundle directory, I found log4j2 jars in directory elasticsearch and in directory state/1639. Are they only used "internaly" to make liferay talk to elasticserach or are they expose "externaly" and a target to a potential attack ? Thank you.

Hey David, looks like our 7.2 DXP and elastic search does have version 2.1.1 I checked the properties file and do not see the -Dlog4j2.formatMsgNoLookups parameter. If this parameter is not on the properties file, is the default false? basically do we need to add that parameter if its missing from the properties file.

Hi David, Can we apply this setting in tomcat/bin/setenv.sh ? -Dlog4j2.formatMsgNoLookups=true

find . -name "log4j*.jar"                                                                                                                                      ./bundles/liferay-ce-portal-7.3.0-ga1/osgi/state/org.eclipse.osgi/1224/18/.cp/lib/log4j-api-2.11.1.jar ./bundles/liferay-ce-portal-7.3.0-ga1/osgi/state/org.eclipse.osgi/1232/18/.cp/lib/log4j-api-2.11.1.jar ./bundles/liferay-ce-portal-7.3.0-ga1/osgi/state/org.eclipse.osgi/78/0/.cp/lib/log4j-api-2.11.2.jar ./bundles/liferay-ce-portal-7.3.0-ga1/osgi/state/org.eclipse.osgi/78/0/.cp/lib/log4j-core-2.11.2.jar ./bundles/liferay-ce-portal-7.3.0-ga1/tomcat-9.0.17/webapps/ROOT/WEB-INF/lib/log4j.jar ./bundles/liferay-ce-portal-7.3.0-ga1/tomcat-9.0.17/webapps/ROOT/WEB-INF/lib/log4j-extras.jar

Ergo: Liferay Portal CE 7.3.0 is affected, apply the mitigation fix as per the Microsoft response to the CVE, immediately!

Any update on Liferay and Gradle v6.6.1, I tried upgrading Gradle and there is an issue with the plugins:

``` Failed to notify project evaluation listener org/gradle/api/plugins/osgi/OsgiPlugin Failed to notify project evaluation listener osgi/OsgiPlugin ```

Hi David, is there a remediation plan for Liferay CE 7.2 and above to upgrade log4j2 version to 2.15.  in a new Liferay CE release? I see that there is fixed applied to DXP 7.0,7.1,7.2

https://issues.liferay.com/browse/LPE-1706

I have already added the JVM parameter in Liferay 7.2 servers to mitigate the problem as you recommended

According to https://github.com/lunasec-io/lunasec/blob/master/docs/blog/2021-12-14-log4j-zero-day-update-on-CVE-2021-45046.mdx this setting is also not safe...

Lunasec has prepared usefull tool (https://github.com/lunasec-io/lunasec/releases/) that looks up hashes of affected classes in a given directory, here is a result of 7.4.3 CE version scan:

└➤ ./temp/log4shell_1.3.0-log4shell_Linux_x86_64 scan liferay/bundles/ 9:39AM ??? Identified vulnerable path         cve: CVE-2021-44228         fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class         hash: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e         path: liferay/bundles/elasticsearch-sidecar/7.10.2/lib/log4j-core-2.11.1.jar         severity: 10.0         versionInfo: "2.10.0, 2.11.0, 2.11.1, 2.11.2, 2.9.0, 2.9.1" 9:39AM ??? Identified vulnerable path         cve: CVE-2021-44228         fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class         hash: 2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f         path: liferay/bundles/osgi/state/org.eclipse.osgi/204/0/.cp/lib/log4j-core-2.13.3.jar         severity: 10.0         versionInfo: "2.13.0, 2.13.1, 2.13.2, 2.13.3" 9:39AM ??? Identified vulnerable path         cve: CVE-2021-44228         fileName: org/apache/logging/log4j/core/lookup/JndiLookup.class         hash: 84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f         path: liferay/bundles/tomcat-9.0.53/webapps/ROOT/WEB-INF/shielded-container-lib/log4j-core.jar         severity: 10.0         versionInfo: "2.14.0, 2.14.1"

Hi 

I was guided if it's impossible to replace the log4j jar file, then deleting the JNDILookup.class inside log4j-core-2.xx.jar file will also work.

So I tried following steps to solve log4j vulnerability in my 7.3.2 version. 

1. unzip "Liferay CE Foundation - Liferay CE Connector to Elasticsearch 6 - Impl.lpkg" file which is stored in marketplace folder. You will find "com.liferay.portal.search.elasticsearch6.impl-4.0.15.jar" file inside the unzipped folder.

2. unzip "com.liferay.portal.search.elasticsearch6.impl-4.0.15.jar" and locate "log4j-core-2.11.2.jar" file inside the lib folder. 

3. unzip "log4j-core-2.11.2.jar" and locate JNDILookup.class file inside the "org/apache/logging/log4j/core/lookup" folder and delete the class file. After deleting it, re-zip the jar files. 

4. After zipping "com.liferay.portal.search.elasticsearch6.impl-4.0.15.jar"  rename it to "com.liferay.portal.search.elasticsearch6.impl.jar" and copy the file to [Liferay_HOME]/osgi/marketplace/override folder. 

5. restart Liferay, and the overridden jar file will be installed during startup. 

I haven't found any functional errors yet after replacing the file.

Give it a try and let me know :)  

Hello everybody

We're using 7.2.1, that includes log4j 1.2.17. There is a similar vulnerability that affects this version: https://www.cvedetails.com/cve/CVE-2021-4104/

What should we do? Does the suggested workaround work? Do we have to upgrade to a specific Liferay version? Can we substitute the lib?

Thanks in advance for your help

Hello.

Will there be a release which includes a newer version of elasticsearch? Customers are permanently asking because their security scanners report the log4j-jars in the elasticsearch sidecar.