Hazelcast CVE-2022-36437 for Pega Platform 8.4.4
Hi Team,
We received the Client advisory CAD-21252 which states that the Pega Platform Hazelcast versions were upgraded to 3.12.13, 4.2.6 and 5.1.5. Hotfixes are being provided for the 8.6 to 8.8.1 patch releases.
It did not give more details on our version 8.4.4 . Could you please provide more details on the hotfix requirement for Pega 8.4.4?
Regards
NK
***Edited by Moderator Marissa to add Support Case details***
Accepted Solution
Updated: 18 Jul 2023 4:37 EDT
Pegasystems Inc.
GB
@NARESHK8 in the CAD ticket the following was clearly stated:
"Hotfixes are available for all Pega versions from 8.6 and later. Clients running version prior to 8.6 should implement network mitigants. "
Versions prior to 8.6:
Pega strongly recommends clients to update to the latest release and keep your platform current. The exploitation risk can be significantly lowered by following these recommendations:
The network hosting the Pega environments should be configured such that external access to Hazelcast server ports is completely restricted. The default TCP port range is 5701 to 5800.
This can be overridden by the customer using the following configuration: <env name="initialization/cluster/ports" value="xxxx"/> https://support.pega.com/support-doc/managing-clusters-hazelcast#common-cluster-settings [See section Common cluster settings -> Cluster Ports]
Also please be aware of the Pega Extended Support program
Updated: 12 Jul 2023 11:22 EDT
TechMahindra
CA
@MarijeSchillern: Thank you for the response.
We got approvals for extended support as currently we are unable to upgrade our Pega Platform version. Hence we will be still using Pega 8.4.4.
Could you help us confirm is there is a Hotfix available for Pega 8.4.4 version ?
Note: We are currently on Azure Public cloud and I believe by default all servers have firewalls , should we still need Hotfix from our end for Hazelcast ? Is there a way we can check and know that this is taken care ?
Regards,
Naresh K
Updated: 13 Jul 2023 4:29 EDT
Pegasystems Inc.
GB
Hi @NARESHK8
From my research there is no 8.4 hotfix available.
However I think it would be best if you log a support ticket to ask your question about the firewall as it can then be answered by the best team who may be more aware of your situation (I do not have visibility if any non-standard contractual arrangements were made) .
Could you provide the ticket ID once you have logged it? That will help me track progress with you.
TechMahindra
CA
@MarijeSchillern Thank you for your support on this discussion.
INC-A7267 - Created
Updated: 17 Jul 2023 5:52 EDT
Pegasystems Inc.
GB
@NARESHK8 I can see that the support team checked your contract and confirmed that there was no special arrangement with your company w.r.t an availability of a hotfix.
As already suggested in this forum question please follow the guidance that was provided in the Client advisory.
I can see that you asked our support team about "Common cluster settings" and that you were informed that the advice provided in the CAD relates to a network infrastructure issue and your infrastructure team should be made aware of it.
Once you agree to close the support ticket could I please ask that you hit the 'Accept Solution' button on my original reply so that other forum users can be helped with the details that we have covered here?