Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645

Written By

Kanchan Bisht

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • This article outlines the concerns of CVE-2022-23305, CVE-2022-23307, and CVE-2017-5645 vulnerabilities with respect to the Liferay DXP

Environment

  • Liferay DXP 7.0
  • Liferay DXP 7.1
  • Liferay DXP 7.2
  • Liferay DXP 7.3

Resolution

  • CVE-2020-9493 or CVE-2022-23307 identified a deserialization issue that was present in Apache Chainsaw. It appears that Apache Chainsaw is a GUI-based log viewer that can read log files in Log4j’s XMLLayout format. Log4j is not configured to use Chainsaw by default. Liferay DXP did not enable Chainsaw, and thus also should not be vulnerable to this.

  • CVE-2017-5645 - This is being fully fixed by LPS-111104. However, the temporary fix resolves the issue by patching the JAR and removing the vulnerable code.

  • CVE-2022-23305 - This will also be fully resolved by LPS-111104. The vulnerability though involves using the JDBCAppender, which is not used by default in Liferay DXP.

Additional Information

  • If the hotfix is required for these concerns, please create a support ticket requesting the hotfix by attaching the patch details.
  • Installing Fix Packs and Hotfixes on Liferay DXP will guide you to install the Fixpack/Hotfix in your environment.
  • Checkpoints:
    • Patching Tool
      /opt/liferay/patching-tool/lib/patching-tool.jar (log4j-api 2.3)
      /opt/liferay/patching-tool/lib/patching-tool.jar (log4j-core 2.3)
      Please have the latest version of the Patching Tool
      Patching Tool 3.0.31
      Patching Tool 2.0.16
    • ElasticSearch
      /opt/liferay/elasticsearch7/lib/log4j-core-2.11.1.jar (log4j-core 2.11.1)
      Update to the latest version of ElasticSearch
    • Core JARs
      /opt/liferay/tomcat/webapps/ROOT/WEB-INF/lib/log4j.jar (log4j 1.2.17)
      /opt/liferay/tomcat/webapps/ROOT/WEB-INF/lib/log4j-extras.jar (log4j-extras 1.2.17)
      The MANIFEST.MF file for log4j.jar and its version is listed as 1.2.17.LIFERAY-PATCHED-1 after applying the needed fix. Extract the classes 'JMSAppender' and 'SocketServer' from log4j.jar and double-check that the vulnerabilities are patched.
    • The log4j-extras.jar does not have any vulnerabilities.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?