Apache Log4j 2.17.1 Vulnerability Hotfixes

system · January 31, 2022, 3:13pm

As per the pega documentation to receive Apache Log4j 2.17.1 Vulnerability Hotfix we need to be on 8.4.6 version.

Currently we are on 8.4.0 and already applied Log4j 2.17 hotfix. Can we get hotfix for Log4j 2.17.1 without upgrading to 8.4.6 version ?

MarijeSchillern · January 31, 2022, 4:17pm

@srinivasur6711 yes you need to be on the latest version,

"… Pega’s Log4j 2.17.1 hotfixes will only be available for the latest patch release of each Pega Platform version, and clients must evaluate whether they require this fix. Clients who are on prior patch versions must upgrade to the latest patch version in order to receive and apply this hotfix, or they must apply a 2.17 hotfix from the Apache Log4j 2.17 Vulnerability Hotfixes Advisory. "

This is as per the article:

https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-pega-platform-apache-log4j-2171-vulnerability-hotfixes

system · January 31, 2022, 4:26pm

@MarijeSchillern

sounds good.

Conversation		Replies	Views
Pega on-premises Apache Log4j Zero Day Vulnerability General security , system-administration , financial-services , 7-3-1	6	899	December 21, 2021
Zero-day flaw log4j2 - needs patching General pega-platform , system-architect , security , financial-services	3	274	December 20, 2021
Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results? General security , 8-5-2	7	299	December 31, 2021
Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16. General pega-platform , security , communications-and-media	2	37	December 20, 2021
page not found for pega 8 log 4j 2.17 hotfix details General security , updates , 8-4-1	3	85	January 5, 2022

Apache Log4j 2.17.1 Vulnerability Hotfixes

Related topics