Entry of org/apache/logging/log4j/core still visible after import of Apache Log4j Vulnerability Hotfixes
Below query still returns results after Apache Log4j Vulnerability hotfix installation. In fact, it returns one additional row(for v 8.1.1. and 2 new rows for v 8.5.2) which got inserted with hotfix installation. Please advise if that is expected.
select pzjar,pzpackage,pzclass,pzlastmodified,pzmoduleversion,pzcodesetversion,pzpatchdate from <Rules Schema Name>.pr_engineclasses where pzclass = 'JndiLookup.class' and pzpackage = 'org/apache/logging/log4j/core/lookup';
Accepted Solution
Updated: 21 Dec 2021 8:01 EST
Carelon
IN
@HARIL043 I assume JARs needs to removed manually. There is not alternative. I have tried out the same on a Pega PE edition for triaging purpose doing the same. Its better to reach out to Pega GCS by raising a support ticket for confirmation.
MORGAN STANLEY
IN
@KarthikM6254 Hi Karthik,
As per earlier communication we need to apply these steps as there was no Hot fix released. Now we got Hot fix, but still we need to run ?
In our Org, max all 8.x versions in prod , so we requested all the Hot fixes mentioned here.
Accepted Solution
Updated: 21 Dec 2021 8:01 EST
Carelon
IN
@HARIL043 I assume JARs needs to removed manually. There is not alternative. I have tried out the same on a Pega PE edition for triaging purpose doing the same. Its better to reach out to Pega GCS by raising a support ticket for confirmation.
MORGAN STANLEY
IN
@KarthikM6254 Thanks Support request raised #
| INC-205043 |