Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Joleen Kuchenbacker (kuchj1)
PEGA
Senior Client Success Manager
Pegasystems Inc.
US
kuchj1 Member since 2021 3 posts
PEGA
Posted: Dec 20, 2021
Last activity: Jan 5, 2022
Posted: 20 Dec 2021 10:53 EST
Last activity: 5 Jan 2022 5:37 EST
Closed
Solved

Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16.

Client reporting question below, is this expected behavior? 

    1. Per Robert Clause, 12/20, Seems Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16.
      1. NVD - CVE-2021-45105 (nist.gov)
        1. Details: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
***Edited by Moderator: Pooja Gadige to add capability tag***
To see attachments, please log in.
Pega Platform
Security
Communications and Media

Accepted Solution

Posted: 3 years ago
Updated: 3 years ago
Posted: 20 Dec 2021 12:04 EST
Updated: 20 Dec 2021 12:34 EST
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

Hi @kuchj1, yes, the hotfix you installed will bring you to log4j version 2.16. We'll be shipping 2.17 based patches soon. Please keep monitoring https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability#Hotfix

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice