1

I use liferay 7.2.1 GA2, and its have log4j inside. But I can't figure out where it is and which version of it used in liferay. The only thing i found is liferay package com.liferay.portal.log4j.extender in app manager.

Which version of log4j used in liferay? Is it possible to update it for liferay?

NULL pointer
  • 33
  • 1
  • 5
  • As it appears to be a paid service, it seems like this should be a question for `Liferay`? ... after all, they should be able to answer, especially due to the latest security issue related to `log4j`. – Paul T. Dec 12 '21 at 00:15
  • 2
    In my case I use free version of portal. I thought maybe somebody understands this thing better than me and can answer. – NULL pointer Dec 12 '21 at 00:51
  • You can probably search the `bundle` with `find /server/liferay -name "*log4j*.jar" -ls` and see JARS on your distribution. – peter_pilgrim Jan 11 '22 at 15:39
  • 1
    Bare in mind, Tomcat is exploded and any WAR files are exploded dynamically (at runtime). I believe there is ElasticSearch at least in Liferay 7.3. I agreed with @Paul T about the Liferay commercial, they seem brilliantly slow at remediating this fix. – peter_pilgrim Jan 11 '22 at 15:41

2 Answers2

8

Liferay Portal 7.2 uses log4j 1.2.17

You can check the libraries used by Liferay Portal 7.2 in the lib/versions.html file in the source code, see log4j version of Liferay Portal 7.2 here:

If you are asking this question due to the Log4j 2.x Zero-Day Vulnerability, it only affects to the Liferay Portal 7.4 version.

For more information see this post: https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability

jorgediaz-lr
  • 942
  • 6
  • 13
1

If you are using the Elasticsearch sidecar (bundled Elasticsearch), liferay starts an additional process on startup. As far as I know, this one is using log4j-core 2.13.3.

There are blogpost that state the elasticsearch is not directly affected and usually those port should not be exposed - so you should make this sure.

Andre Albert
  • 1,386
  • 8
  • 17