Pega on-premises Apache Log4j Zero Day Vulnerability
For Pega on-premises (MLP 7.3.1 / Tomcat )
Followed the instructions mentioned in the security advisory document (https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability)..
- Executed the delete statement ( delete from pegarules.pr_engineclasses where pzclass = 'JndiLookup.class' and pzpackage = 'org/apache/logging/log4j/core/lookup';
- Searched for the files starting with log4j in the application server directory and could see only two jars log4j-core-2.3 & log4j-api-2.3 in the directory (Pega7.31\scripts\lib) so just replace them with the latest jars (log4j-api-2.15.0.jar & log4j-core-2.15.0.jar )
- If the system is configured with SMA then need to replace the log4j-api-2.x jar at \Tomcat\webapps\prsysmgmt\WEB-INF\lib.
Since Jar files are replaced with the latest version, Do we need to update any reference/dependency files which are referring to log4j2 jars in the system?