about Apache Log4j Security Vulnerabilities https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=121304502 2026-04-04T00:58:55Z 2026-04-04T00:58:55Z Tomáš Polešovský https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=121304881 2021-12-23T07:02:47Z 2021-12-21T10:03:11Z

<p>Hi,</p> <p>Please see <a href="https://liferay.dev/blogs/-/blogs/log4j2-vulnerability-fixing-the-jar">https://liferay.dev/blogs/-/blogs/log4j2-vulnerability-fixing-the-jar</a></p> <p>Please don't forget to fix all log4j-core JAR files in the classpath.</p> <p>Thank you.</p> <p>- Tomas</p>

Tomáš Polešovský 2021-12-21T10:03:11Z Scarletake Bwi https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=121304501 2021-12-22T07:24:31Z 2021-12-21T03:01:03Z

<p>hi </p> <p>i am using liferay ce 7.4.3.4</p> <p>it's about <a href="https://logging.apache.org/log4j/2.x/security.html">Log4j2 vulnerability.</a></p> <p>i do not understand, it should happen when using log4j2, but in &lt;liferay home&gt;/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib, i only see log4j-1.2.jar, lkog4j-api.jar and log4j-core.jar</p> <p> <strong>may i just replace the jar with new download from apache and fix this issue?</strong></p> <p> </p> <p>i try download log4j 2.17.0 and replace  3 jras in</p> <p>&lt;liferay home&gt;/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib</p> <p>and</p> <p>&lt;liferay home&gt;/elasticsearch-sidecar/7.10.2/lib, restart server, it's looks fine. </p> <p>and i also update com.liferay.portal.bootstrap.jar/META-INF/system.packages.extra.mf, change all log4j to 2.17.0</p> <p> </p> <p> </p> <p>but i find there still have log4j-api-2.11.1.jar and log4j-core-2.11.1.jar in </p> <p>&lt;liferay home&gt;\osgi\state\org.eclipse.osgi\607\0\.cp\lib</p> <p>it's looks like the jar be download by maven, how can i fix this?</p> <p> </p> <p>thank you in advance.</p> <p> </p>

Scarletake Bwi 2021-12-21T03:01:03Z