Hi Team,
We are using Liferay CE Portal
(liferay-ce-portal-7.4.0-ga1) for our product development.
In the above given version, we are facing log4j vulnerability
(log4j-core-2.13.3.jar, log4j-api-2.13.3.jar) in
"osgi/bundles" folder.
We tried manually deleting the log4j-api-2.13.3.jar,
log4j-core-2.13.3.jar versions and placed the updated
versions log4j-api-2.17.0.jar,
log4j-core-2.17.0.jar. But on restarting the servers, again
the log versions are reverting back to 2.13.
We also tried the mitigation fixes suggested in Liferay forum, such as:
-
Updating JVM parameter -Dlog4j2.formatMsgNoLookups=true in server
startup file(setenv.sh).
-
Deleting the JNDILookup.class file in Log4j Core jar and
overriding the jars. (/disk/liferay-ce-portal-7.4.0-ga1/osgi/marketplace/override)
Liferay Forum Link (referred for above fix) : https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability#:~:text=%2DDlog4j2.formatMsgNoLookups%3Dtrue,will%20be%20mitigated%20for%20you.
Currently, we will not be able to update our Liferay CE Versions for
our product and moreover, the above work arounds are also not working
as expected. We are still facing the critical security alerts for log4j.
Requesting your help in providing us any suggestions or fixes
available to overcome the above vulnerability.
