Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
Liferay CE Portal (liferay-ce-portal-7.4.0-ga1) : Log4j Vulnerability
Hi Team,
We are using Liferay CE Portal (liferay-ce-portal-7.4.0-ga1) for our product development.
In the above given version, we are facing log4j vulnerability (log4j-core-2.13.3.jar, log4j-api-2.13.3.jar) in "osgi/bundles" folder.
We tried manually deleting the log4j-api-2.13.3.jar, log4j-core-2.13.3.jar versions and placed the updated versions log4j-api-2.17.0.jar, log4j-core-2.17.0.jar. But on restarting the servers, again the log versions are reverting back to 2.13.
We also tried the mitigation fixes suggested in Liferay forum, such as:
- Updating JVM parameter -Dlog4j2.formatMsgNoLookups=true in server startup file(setenv.sh).
- Deleting the JNDILookup.class file in Log4j Core jar and overriding the jars. (/disk/liferay-ce-portal-7.4.0-ga1/osgi/marketplace/override)
Liferay Forum Link (referred for above fix) : https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability#:~:text=%2DDlog4j2.formatMsgNoLookups%3Dtrue,will%20be%20mitigated%20for%20you.
Currently, we will not be able to update our Liferay CE Versions for our product and moreover, the above work arounds are also not working as expected. We are still facing the critical security alerts for log4j.
Requesting your help in providing us any suggestions or fixes available to overcome the above vulnerability.
Hello everyone, please help us on the above issue as we have tried all the ways possible which we know. Kindly help us if someone have a solution to this issue.
Check if there is any possible solution for the above Log4j Vulnerability explained.
Powered by Liferay™