Message Boards
Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsIs liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 297 Join Date: 9/5/14 Recent PostsHi Kevin, from what I undertand any version below 7.4 is not impacted by the vulnerability. However taking from Dave's blog where he suggests adding the system property -Dlog4j2.formatMsgNoLookups=true to any version seems like sound advice. I added it to one of my 7.3 environments just to be sure.
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsThanks Jammie, Will there be a Liferay 7.4 CE release for update log4j2 2.16.0 version?
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 297 Join Date: 9/5/14 Recent PostsYes the next version 7.4 GA5 will have log4j2 2.16.0.
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsHi Jamie, any word on when the new Liferay CE 7.4 GA5 will be release?
Thanks
Kevin
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 297 Join Date: 9/5/14 Recent PostsHi Kevin, it has been released: https://liferay.dev/blogs/-/blogs/liferay-portal-7-4-ga5-and-liferay-commerce-4-0-ga5-release
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsOk great. Do you know what version of log4j is used, is it 2.16 or 2.17?
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 297 Join Date: 9/5/14 Recent PostsIt includes log4j 2.17.
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsOk great!!. Thanks Jamie.
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsHi Jammie, does the new liferay version contatin log4j2 version -> 2.17.1 or 2.17.0?
Thanks
Kevin
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsOK found it. Something seems to be strange on the master branch
it seems to be version 2.17.1 https://github.com/liferay/liferay-portal/blob/master/lib/portal/dependencies.properties
But when I import the liferay sorurce i see version:
log4j-api=com.liferay:org.apache.logging.log4j:2.17.0.LIFERAY-PATCHED-1
log4j-core=com.liferay:org.apache.logging.log4j.core:2.17.0.LIFERAY-PATCHED-1
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 297 Join Date: 9/5/14 Recent PostsHi Kevin, 7.4 GA5 contains log4j 2.17.0. log4j 2.17.1 will be included in the upcoming 7.4 GA7 which should be released in the next few days. Our security team deemed 2.17.0 safe for deployment but if you would prefer to be on 2.17.1 then I would just wait for GA7.
RE: RE: Is liferay 7.2 CE GA3 impacted by the log4j 2 vulnerability ?
Expert Posts: 253 Join Date: 1/25/16 Recent PostsThanks Jamie, we wail unitll GA7 will be release and then perform the migration from GA2 to GA7.
Just FYI, base on what I read on apache site they mention 2.17.0 has secutiy vulnerabity to RCE. https://logging.apache.org/log4j/2.x/security.html#:~:text=Apache%20Log4j2%20versions%202.0%2Dbeta7,Appender%20with%20a%20data%20source.
Also, we are scanning the liferay through sonatype and it seems for GA2 sonatypoe request to upgrade most the third party libraries to latest version. Do you know if liferay will update most of the 3rd party libraries to latest versions? I see so far in GA6 its being updated to latest version.