Apache Log4j 1.x has reached its end-of-life
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Environment
- Liferay DXP 7.0
- Liferay DXP 7.1
- Liferay DXP 7.2
- Liferay DXP 7.3
Resolution
- Liferay is aware of Log4j 1.x's end-of-life and has logged it as a feature request, which can be tracked here: [LPS-59243] Upgrade Log4j to 2.x
- Since the EOL of one of the dependencies does not imply a security vulnerability, and therefore, Liferay has managed to keep it and fix any upcoming issues.
- Furthermore, none of the known Log4j 1.x vulnerabilities are exploitable in DXP out of the box.
Liferay can provide patched Log4j 1.x to confirm the OWASP Top10 rule regarding shipping vulnerable dependencies. However, because it has achieved EOL, an update cannot be provided, instead, it will be patched in case a vulnerability impacts Liferay.
-
On DXP 7.4, Liferay uses the latest log4j2 version, however, in previous Liferay versions, the security team decided to replace log4j with reload4j. On LPS-111104, the work of this change is happening, although, replacing it completely for each version may take some time.
Did this article resolve your issue ?
