Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Michael Klumb (MichaelK1674)
Deutsche Post AG

Deutsche Post AG
DE
MichaelK1674 Member since 2019 12 posts
Deutsche Post AG
Posted: Jan 21, 2022
Last activity: Jan 28, 2022
Posted: 21 Jan 2022 1:26 EST
Last activity: 28 Jan 2022 8:35 EST
Closed

When will hotfix log4j 2.17.1 come?

Last week in https://docs-previous.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability#2.17.1 the hotfix was announced for the 14.1.2022 and I already prepared the deployment.

On the 14th the date was changed to "the week of January 17, 2022".

Now it is friday and I cannot find the hotfix. Is there any reliable date when the hotfix will come?

***Edited by Moderator: Pooja Gadige to add capability tag***
To see attachments, please log in.
Pega Platform 8.5.5
Security

Posted: 2 years ago
Posted: 21 Jan 2022 8:22 EST
Michael Klumb (MichaelK1674)
Deutsche Post AG

Deutsche Post AG
DE

@MichaelK1674

Thanks to Pooja for adding the tag.

Nevertheless after the date given last week, again a week is gone. And I haven't got any reply to this question. It seems that no one knows if and when this hotfix will be released.

To see attachments, please log in.
Posted: 2 years ago
Posted: 27 Jan 2022 2:47 EST
Michael Klumb (MichaelK1674)
Deutsche Post AG

Deutsche Post AG
DE

And still nobody seems to have any information about the release date of the hotfix for log4j 2.17.1. In the meantime I raised an SR. But after days besides of triaging nothing happens to this SR.

I would appreciate if there is any news regarding this topic.

To see attachments, please log in.
Posted: 2 years ago
Posted: 27 Jan 2022 5:47 EST
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

Hi Michael,

We apologize for the delay and outdated advisory information.

The mentioned hotfix in the end did actually get released on the 17th, however there was no advisory update. I see that you have received the files in the meantime through support. I've submitted a request to update the advisory. Please feel free to directly provide us feedback on a specific doc or community article through the yellow 'contact us' option on the right hand side at any time, to further allow us to improve.

Please note that the criticality of this hotfix is debatably. If you've already applied the earlier hotfixes, there's most likely no risk left which requires this 2.17.1 log4j based hotfix. There's a high chance there's more direct security benefits by focusing on other aspects of your Pega security.

I hope this answers your questions and you can mark this question as addressed. Please reach out to me directly in case you'd like assistance in identifying other opportunities to improve security of your Pega applications.

Kind regards,

Eric Rietveld

[email protected]

 

To see attachments, please log in.
Posted: 2 years ago
Posted: 28 Jan 2022 8:35 EST
Michael Klumb (MichaelK1674)
Deutsche Post AG

Deutsche Post AG
DE

@Eric Rietveld

Besides of this question I also raised an SR which was also not answered. I am not willing to accept that it takes a week to answer a simple question. Especially if I understand from other questions that Pega did not inform anybody that the hotfix was released. And this morning I was running the hotfix manager and this hotfix was still not in the catalogue. But now Pega cloud team started to install the hotfix on my environments.

You may debate if this hotfix is needed or not. But it is a mandatory requirement of IT-Security in our company. They don't do any compromises on security. 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice