Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Marc Poinsot (MarcP041)
BNP Paribas

BNP Paribas
FR
MarcP041 Member since 2019 2 posts
BNP Paribas
Posted: Dec 14, 2021
Last activity: Dec 16, 2021
Posted: 14 Dec 2021 5:20 EST
Last activity: 16 Dec 2021 6:50 EST
Closed

Pega Log4j Zero Day Vulnerability

Hello,

We are using on-premises Pega Platform 8.2.3 and 8.5.3 with Websphere Liberty.

Based on your last Security Advisory (https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability) our 8.2.3 environments are only impacted by the Log4j embedded within the Pega Platform product, whereas our 8.5.3 environment is also impacted by the Kafka libraries vulnerability.

Can you confirm that it is not useful to apply the kafka fix for our Pega 8.2.3 environment ?

Pega 8.2.3 Kafka libraries used : kafka- Proprietary information hidden

Pega 8.5.3 Kafka libraries used : kafka- Proprietary information hidden

Thanks in advance,

***Edited by Moderator: Pooja Gadige to add capability tag***
To see attachments, please log in.
Pega Platform
Security

  • Michael Zielinski Premal Patel
Posted: 2 years ago
Posted: 16 Dec 2021 6:50 EST
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

The Kafka versions with log4j version 1 are not vulnerable to this attack. For the Kafka's using log4j-2, since they should not be direct access to Kafka, you can opt to wait for the offical hotfix, or apply the solution as outlined in the security advisory

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice