Is Log4j version 2.17.1 hotfix in the works?
CVE-2021-44832
Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
Updated: 29 Dec 2021 15:05 EST
Great Eastern
SG
@Eric Rietveld Based on the link, the hot fix for Pega 7.3.1 is based on Apache log 4j version 2.12.3. Will Pega release newer hotfix based on 2.17 version?
Branched Information: Originally posted as reply here.
Pegasystems Inc.
US
Hello @wtran and @NandhiniV6911
Please see: Pega Security Advisory - Apache Log4j 2.17 Vulnerability Hotfixes
Cathay Bank
US
Hello @MarissaRogers,
The hotfix on that link only addresses Log4j - CVE-2021-45105 - Log4j 2.17 Update (8.4.5). However, yesterday another vulnerability has been introduced with Log4j 2.17 and there should be an update to 2.17.1 which addresses CVE-2021-44832. Just wanted to keep updated with the most current.
Thanks,
Will
Great Eastern
SG
@MarissaRogers From the link, Hotfix for Pega 8.x versions are based on Apache Log4j 2.17.
But from above link, hotfix for Pega 7 versions are based on Apache Log4j version 2.12.3. Is there a possibility to get Pega 7 hotfixes based Apache Log4j 2.17? As based on our client advisory, we have to upgrade to the latest Apache log 4j version.
Pegasystems Inc.
NL
Hi @NandhiniV6911, the Pega 7 hotfix needs to support Java 7 so we're shipping 2.12.x versions of the log4j library. As described in https://logging.apache.org/log4j/2.x/ that version mitigates the same CVEs as 2.17.x
Cathay Bank
US
@MarissaRogers Has there been any updates for the hotfix on Log4j version 2.17.1??
Pegasystems Inc.
GB
Hello Will @wtran
I can see that you have logged this question in support ticket SR-111376.
Our initial analysis is that there is no ETA for this at the moment and this is related to 2.17.1.
See details in :
The engineer investigating your support ticket will respond to you shortly and will help continue this discussion with you in parallel with any further input on this post.