Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Gopi Bala Nageswara Rao Pentakota (Gopi Pentakota)
TCS
Assistant Consultant
TCS
US
Gopi Pentakota Member since 2012 9 posts
TCS
Posted: Dec 11, 2021
Last activity: Dec 14, 2021
Posted: 11 Dec 2021 17:54 EST
Last activity: 14 Dec 2021 6:45 EST
Closed

CVE-2021-44228 - RCE 0-day exploit found in log4j2

Hi, 

There is a highly vulnerable, Zero day exploit found in log4j2 versions lower than 2.14.1.

CVE - CVE-2021-44228 (mitre.org)

Can we get some help on how to identify the version of log4j2 being used and how to upgrade it.

Also is Pega releasing any hotfix is there is an impact ?

Thanks,

Gopi

***Edited by Moderator: Pooja Gadige to change content format from Discussion to Question***
To see attachments, please log in.
Pega Platform
Security
Senior System Architect

  • david clark
Posted: 2 years ago
Updated: 2 years ago
Posted: 13 Dec 2021 5:40 EST
Updated: 13 Dec 2021 7:55 EST
Matthew Niziolek (MatthewN5532)
The Automobile Association
Pega Delivery Lead
The Automobile Association
GB

Is Pega 7.19 affected as I understand log4j2 was only introduced in 7.3?

To see attachments, please log in.
Posted: 2 years ago
Posted: 14 Dec 2021 6:45 EST
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

Hi @MatthewN5532, that version is not affected by this, as is now also shown in the updated article  https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability . However to take advantage of various other security improvements we do recommend to upgrade to Pega 8.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice