about Apache Log4j Security Vulnerabilities

Message Boards

Scarletake Bwi, modified 2 Years ago.

about Apache Log4j Security Vulnerabilities

Expert Posts: 326 Join Date: 12/20/10 Recent Posts

i am using liferay ce 7.4.3.4

i do not understand, it should happen when using log4j2, but in <liferay home>/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib, i only see log4j-1.2.jar, lkog4j-api.jar and log4j-core.jar

may i just replace the jar with new download from apache and fix this issue?

i try download log4j 2.17.0 and replace 3 jras in

<liferay home>/tomcat-9.0.53/webapps/ROOT/WEB-INF/shieded-container-lib

and

<liferay home>/elasticsearch-sidecar/7.10.2/lib, restart server, it's looks fine.

and i also update com.liferay.portal.bootstrap.jar/META-INF/system.packages.extra.mf, change all log4j to 2.17.0

but i find there still have log4j-api-2.11.1.jar and log4j-core-2.11.1.jar in

<liferay home>\osgi\state\org.eclipse.osgi\607\0\.cp\lib

it's looks like the jar be download by maven, how can i fix this?

thank you in advance.

Tomáš Polešovský, modified 2 Years ago.

RE: about Apache Log4j Security Vulnerabilities (Answer)

Liferay Master Posts: 676 Join Date: 2/13/09 Recent Posts

Hi,

Please see https://liferay.dev/blogs/-/blogs/log4j2-vulnerability-fixing-the-jar

Please don't forget to fix all log4j-core JAR files in the classpath.

Thank you.

- Tomas