Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results?
Hello – we applied 3 hotfixes for 8.5.2.
The jar files in …/kafka- Proprietary information hidden/libs/ continue to be version 2.11.1. Is this an expected result?
Also, Is this the expected result for pr_engineclasses? (please see attachment)
Thanks!
+++++++++++++++
Hotfixes applied: HFIX-82156, HFIX82037, and then also hfix-82093 as directed by Hotfix Manager.
…/kafka- Proprietary information hidden/libs/
log4j-api-2.11.1.jar
log4j-core-2.11.1.jar
log4j-slf4j-impl-2.11.1.jar)
Accepted Solution
Updated: 22 Dec 2021 17:25 EST
Pegasystems Inc.
NL
Hi @KimD2729. Good. You can remove the old directory. The fix you have installed created the Proprietary information hidden kafka bin directory with the 2.15 version of log4j.
We're indeed working on hotfixes to move to 2.16 (and maybe later), Keep monitoring https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability#Hotfix for updates.
Pegasystems Inc.
NL
Hi @KimD2729, after installing the infinity platform patches it is expected that you'll see several JNDI classes in your engine table, as you're seeing. Pega will take the latest version automatically, no further action on that table is needed.
The Kafka hotfix however doesn't seem correctly installed.Have you tried removing the complete kafka-1.1.04 directory? At startup the stream node should create a kafka- Proprietary information hidden directory for you with the updated libraries. Try this first on your test system.
It's hard to troubleshoot indiviual cases, so please create backups before proceding and consider opening a support ticket.
Ucare Minnesota
US
@Eric Rietveld Hi Eric - thanks for your reply.
Turns out the hotfix installed kafka- Proprietary information hidden, which has the 2.15 version of Log4j, which I understand also has a vulnerability.
Will there be another version of the hotfix?
Or should I just delete both the 1.1.04 and 1.1.06 directories and restart?
Thanks,
-Kim
++++++++++++++++++++
kdikke:/opt/tomcat/kafka- Proprietary information hidden/libs (Sb)> ll log* -rw-r----- 1 tomcat tomcat 301804 Dec 17 19:27 log4j-api-2.15.0.jar -rw-r----- 1 tomcat tomcat 1789769 Dec 17 19:27 log4j-core-2.15.0.jar -rw-r----- 1 tomcat tomcat 24231 Dec 17 19:27 log4j-slf4j-impl-2.15.0.jar
Accepted Solution
Updated: 22 Dec 2021 17:25 EST
Pegasystems Inc.
NL
Hi @KimD2729. Good. You can remove the old directory. The fix you have installed created the Proprietary information hidden kafka bin directory with the 2.15 version of log4j.
We're indeed working on hotfixes to move to 2.16 (and maybe later), Keep monitoring https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability#Hotfix for updates.
Social Security Administration
US
@Eric Rietveld can you please explain the details and what the plans are. Should we continue to patch or hold on until new patch is released?
Pegasystems Inc.
NL
@MendusC9 please see my post inhttps://collaborate.pega.com/question/log4j-day-zero-vulnerability
AEGIS Limited
US
I have noticed in Security Advisory page the Pega 8 and Pega 7 log4j Hot Fixes links are broken, so we can't identify what Hot Fix number to request.
Please check.
AEGIS Limited
US
Called up Pega Helpline and they have explained that Pega 8 Stream Service Hot Fix includes all required Hot Fixes.