Log4j day zero vulnerability - Pega Search
It appears the Pega search 8.6.0 docker image contains ElasticSearch 5.6.14, which uses log4j 2.11.1. It is my understanding that setting the JVM argument -Dlog4j2.formatMsgNoLookups=true is no longer sufficient to fully mitigate the Log4j day zero vulnerability.
The only mitigations available now are to update the library to version 2.16.0 or fully remove the JndiLookup class
from the Java applications classpath.
For Pega search, removing the JndiLookup class or replacing the 2.11.1 jars with 2.16.0 jars are not options because when pega-search statefulsets are restarted, new ones are spun up.
Is Pega actively working on a fix for ElasticSearch and log4j versions contained in the Pega search 8.6.0 docker image?