Ask Questions and Find Answers

Thanks Jammie, Will there be a Liferay 7.4 CE release for update log4j2  2.16.0 version? 

Yes the next version 7.4 GA5 will have log4j2 2.16.0.

Hi Jamie, any word on when the new Liferay CE 7.4 GA5 will be release?

Thanks

Kevin

Hi Kevin, it has been released: https://liferay.dev/blogs/-/blogs/liferay-portal-7-4-ga5-and-liferay-commerce-4-0-ga5-release

Ok great. Do you know what version of log4j is used, is it 2.16 or 2.17?

It includes log4j 2.17.

Ok great!!. Thanks Jamie.

Hi Jammie, does the new liferay version contatin log4j2 version -> 2.17.1 or 2.17.0? 

Thanks

Kevin

OK found it. Something seems to be strange on the master branch

it seems to be version 2.17.1 https://github.com/liferay/liferay-portal/blob/master/lib/portal/dependencies.properties

But when I import the liferay sorurce i see version:

log4j-api=com.liferay:org.apache.logging.log4j:2.17.0.LIFERAY-PATCHED-1
log4j-core=com.liferay:org.apache.logging.log4j.core:2.17.0.LIFERAY-PATCHED-1

Hi Kevin,  7.4 GA5 contains log4j 2.17.0.  log4j 2.17.1 will be included in the upcoming 7.4 GA7 which should be released in the next few days.  Our security team deemed 2.17.0 safe for deployment but if you would prefer to be on 2.17.1 then I would just wait for GA7.

Thanks Jamie, we wail unitll GA7 will be release and then perform the migration from GA2 to GA7.

Just FYI, base on what I read on apache site they mention 2.17.0 has secutiy vulnerabity to RCE. https://logging.apache.org/log4j/2.x/security.html#:~:text=Apache%20Log4j2%20versions%202.0%2Dbeta7,Appender%20with%20a%20data%20source. 

Also, we are scanning the liferay through sonatype and it seems for GA2 sonatypoe request to upgrade most the third party libraries to latest version. Do you know if liferay will update most of the 3rd party libraries to latest versions? I see so far in GA6 its being updated to latest version.