Message Boards
about Apache Log4j Security Vulnerabilities
about Apache Log4j Security Vulnerabilities
Expert Posts: 326 Join Date: 12/20/10 Recent Postshi
i am using liferay ce 7.4.3.4
it's about Log4j2 vulnerability.
i do not understand, it should happen when using log4j2, but in <liferay home>/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib, i only see log4j-1.2.jar, lkog4j-api.jar and log4j-core.jar
may i just replace the jar with new download from apache and fix this issue?
i try download log4j 2.17.0 and replace 3 jras in
<liferay home>/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib
and
<liferay home>/elasticsearch-sidecar/7.10.2/lib, restart server, it's looks fine.
and i also update com.liferay.portal.bootstrap.jar/META-INF/system.packages.extra.mf, change all log4j to 2.17.0
but i find there still have log4j-api-2.11.1.jar and log4j-core-2.11.1.jar in
<liferay home>\osgi\state\org.eclipse.osgi\607\0\.cp\lib
it's looks like the jar be download by maven, how can i fix this?
thank you in advance.
RE: about Apache Log4j Security Vulnerabilities (Answer)
Liferay Master Posts: 676 Join Date: 2/13/09 Recent PostsHi,
Please see https://liferay.dev/blogs/-/blogs/log4j2-vulnerability-fixing-the-jar
Please don't forget to fix all log4j-core JAR files in the classpath.
Thank you.
- Tomas