Skip to main content

Question

 Sandhya Rani Padhi (Sandhya)
Tech Mahindra
Tech Manager
Tech Mahindra
IN
Sandhya Member since 2017 6 posts
Tech Mahindra
Posted: May 24, 2024
Last activity: Jun 4, 2024
Posted: 24 May 2024 7:50 EDT
Last activity: 4 Jun 2024 13:37 EDT

While installing external package for elastic search getting vulnerability CVE-2023-44487

While installing external package for elastic search getting vulnerability CVE-2023-44487 which is of severity 1 CRITICAL. Although the solution mentioned there as " Upgrade package libnghttp2-14 to version 1.40.0-1ubuntu0.2 or above." and an upgrade is also planned. however would like to know if anyone faced similar issue while installing external package for elastic search 8.10.3 and how is it fixed. Any other additional steps to be taken regarding to docker image or anything else.

***Edited by Moderator Marissa to add Capability tags***
To see attachments, please log in.
Pega Infinity
Security
Financial Services
Lead System Architect

  • Reply
Posted: 5 months ago
Posted: 4 Jun 2024 13:37 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@Sandhya

As of now, our certification covers version 8.10.3 exclusively.

Pega is not directly vulnerable to CVE-2023-44487.  However, your application server may be.  You should check with your application server vendor on this.

If you are using Apache Tomcat as your application server, per Apache's website, the following versions are fixed for this CVE-2023-44487:

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81 https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice