I use liferay 7.2.1 GA2, and its have log4j inside. But I can't figure out where it is and which version of it used in liferay. The only thing i found is liferay package com.liferay.portal.log4j.extender in app manager.
Which version of log4j used in liferay? Is it possible to update it for liferay?
On
If you are using the Elasticsearch sidecar (bundled Elasticsearch), liferay starts an additional process on startup. As far as I know, this one is using log4j-core 2.13.3.
There are blogpost that state the elasticsearch is not directly affected and usually those port should not be exposed - so you should make this sure.
Liferay Portal 7.2 uses log4j 1.2.17
You can check the libraries used by Liferay Portal 7.2 in the lib/versions.html file in the source code, see log4j version of Liferay Portal 7.2 here:
If you are asking this question due to the Log4j 2.x Zero-Day Vulnerability, it only affects to the Liferay Portal 7.4 version.
For more information see this post: https://liferay.dev/blogs/-/blogs/log4j2-zero-day-vulnerability