Question
Great Eastern
SG
Last activity: 29 Dec 2021 15:05 EST
Hotfix for Log4Shell log4j vulnerability - CVE-2021-44228
Hi Team, Based on the latest client advisory, we have been asked to upgrade to Apache log4j 2.16.0. Is Pega team developing hotfix to upgrade to this version?
Thank you
Pegasystems Inc.
IN
Hello @NandhiniV6911
Please read Security Advisory: Apache Log4j Zero Day Vulnerability for more details on Hotfix
Thank you.
Great Eastern
SG
@PoojaGadige Thank you for the response. I did go through it.
The advisory mentions that Hotfix is being developed based on Apache's recommendation for the CVE. I want to confirm if the hotfix is to upgrade the log 4j version to 2.16?
Pegasystems Inc.
NL
Hi @NandhiniV6911, we've started building patches based on log4j 2.15 first, since 2.16 was not released yet, but now we shifted to packaging based on the 2.16. While we are preparing the official hotfixes, please immediately remove the JNDILookup class as described in our article to mitigate the biggest risk.
Northbridge
CA
@Eric Rietveld hey Eric,
Apache has now released 2.17 to fix the issues in 2.16 which was released to fix 2.15 which was released to fix < 2.15 :)
https://logging.apache.org/log4j/2.x/security.html
We have deleted the jndi files from db, shall we wait for further updates when hfixes are released with 2.17 log4j2?
Thanks
Shekhar
AEGIS Limited
US
Log4j has released 2.17 version
https://logging.apache.org/log4j/2.x/security.html
Do we wait till 2.17 version based Hot Fix is released?
Pegasystems Inc.
NL
please see my update in https://collaborate.pega.com/question/log4j-day-zero-vulnerability
Updated: 29 Dec 2021 15:05 EST
Great Eastern
SG