Pega Log4j Zero Day Vulnerability for OLD Pega platform versions (7.3)
Hello,
What is our company's general policy towards clients, that have some old Pega instances (7.3 in case of my client)?
What would be the recommended action?
Pegasystems Inc.
IN
Hello @nozhd
For more information, please read the articles below:
Security Advisory: Apache Log4j Zero Day Vulnerability
Pega Security Advisory - Apache Log4j Zero Day Vulnerability Hotfixes
Thank you
TalkTalk Telecom Group PLC
GB
@PoojaGadige The documentation says "This vulnerability can affect Pega clients running on-premises or self-managed cloud clients using Pega Platform version 7.3.x - 8.6.x."
This does not explicitly make a statement about versions before 7.3. Is there a statement that (for example) says that Pega applications built on version 7.1 are NOT impacted by the vulnerability ?
UBS Card Center AG
CH
@PoojaGadige these articles do mention that 7.3+ platforms are impacted but there is no communication when related hotfix is available. What is the planned timeframe for the patches on 7.3+?
Ford Motor Company
US
Pega Platform hotfixes to address CVE-2021-45105 (based on Apache Log4j 2.17) are still in development, and will be made available in a separate Hotfix Advisor.
If any one using prlogging.xml instead of prlog4j, they have to follow the instructions listed here:
Security Advisory: Apache Log4j 1.2 JMSAppender vulnerability