Will 7.3.1 get a hotfix using log4j 2.17.1
Reading the documentation provided by Pega on the log4j vulnerability the hotfixes for 7.3.1 appear to just be the mitigation approach, is there a timeline for when a hot fix incorporating 2.17.1 will be available please for this version of Pega platform. Just our client is a goverment agency and are expecting us to have a version of pega that uses 2.17.1 as that is the recommended resolution.
Accenture
GB
@IanP5392 I've managed to find a bit more info and your site states the following:
Since Pega Platform 7.x supports both Java 7 and Java 8, our hotfix is based on Apache Log4j version 2.12.3, which will mitigate vulnerabilities in Pega 7 versions for clients using both Java 7 and Java 8.
So as it stands it does not sound like there will be a version using 2.17.1 now as the mitigation we have performed is enough but the mitigation from apache says it should be 2.12.4 not 2.12.3 as below: Mitigation
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later)
Could you clarify if it is based on version 2.12.4 please?
Ford Motor Company
US
@IanP5392 I'm actually struggling with the same and infact we had issue after installing the HFIX. Later we identified, our developers imported a jar which has older version of Log4j in it and for some reason, Pega getting a bootstrap error untill we drop those classes [consulted GCS and per Pega Engineering Suggestion].
However, even after the Log4J HFIX installed along with all Critical Missing as well as Update Manager HFIX's I still see the Log4J HFIX still showing it as Critical Missing HFIX :(
Reference SR:
|
INC-206481 |
Pegasystems Inc.
GB
@SUMAN_GUMUDAVELLY I see that your support ticket was closed with the details that we provided SQL to confirm that the correct version of the Java LOG4J Jar was installed. You confirmed correct installation and subsequent operation.
@IanP5392 please see the latest information in the following article:
Are you able to mark this post as Resolved?
Accenture
GB
@MarijeSchillern we have been testing the patch for 7.3.1 today, but following the installation it shows as partially installed
, and upon digging into the details it appears to have not installed...
Could you confirm if this is an issue and if so what we need to also deploy please... or what step was missed.
Accenture
GB
@MarijeSchillern That is talking about 2.12, but could be the same. ALthough my team member Matthew has also mentioned this in a question as well: https://collaborate.pega.com/question/hotfix-log4j-vulnerability-showing-partially-installed#comment-850966 Should we close this down once we get confirmation?