NOTE: This article is an INTERNAL article and is not visible to customers, currently. Please only link this article in internal comments, but not public comments.
Issue
-
How can users check if the patch that they’ve applied has eliminated all instances of the log4j vulnerability?
Environment
- DXP 7.1
- DXP 7.2
- DXP 7.3
Resolution
Here are the steps to check if a log4j hotfix has resolved the targeted vulnerabilities:
To search for vulnerabilities caused by: CVE-2021-45105, CVE-2019-17571,CVE-2020-9488,CVE-2021-4104 and CVE-2019-17571
How to check your Elasticsearch Connector:
- Install patch
- Go to osgi/marketplace
- Search for "Elasticsearch". There should be multiple results.
- Open the "Liferay Foundation - Liferay Connector to Elasticsearch X - Impl.lpkg", where "X" is 6 and/or 7.
- Navigate to "com.liferay.portal.search.elasticsearchX.impl-5.0.21.hotfix-YYYY-ZZZZ.jar" and open the archive.
- Navigate to /lib/ and view the log4j jars.
- You should see log4j-api-2.17.0.jar and log4j-core-2.17.0.jar
- You should NOT see any other log4j .jar files
If you find that there are other log4j instances than the ones listed above, please request for the following fixes: LPE-17451 and LPE-17270
How to search for vulnerabilities caused by: CVE-2019-17571,CVE-2020-9488,CVE-2021-4104
- Install patch
- Go to tomcat-9.0.37/webapps/ROOT/WEB-INF/lib and find the "log4j.jar" file (or just search for it)
- You should not find any instances of “log4j.jar”
-
Search instead for reload4j.jar, as this is the new component that Liferay uses for logging.
If you find that there are any log4j instances, please request for this fix: LPE-17063