Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results?

KimD2729 · December 18, 2021, 1:49am

Hello – we applied 3 hotfixes for 8.5.2.

The jar files in …/kafka-1.1.0.4/libs/ continue to be version 2.11.1. Is this an expected result?

Also, Is this the expected result for pr_engineclasses? (please see attachment)

Thanks!

+++++++++++++++

Hotfixes applied: HFIX-82156, HFIX82037, and then also hfix-82093 as directed by Hotfix Manager.

…/kafka-1.1.0.4/libs/

log4j-api-2.11.1.jar

log4j-core-2.11.1.jar

log4j-slf4j-impl-2.11.1.jar)

Eric_Rietveld · December 20, 2021, 1:23pm

Hi @KimD2729, after installing the infinity platform patches it is expected that you’ll see several JNDI classes in your engine table, as you’re seeing. Pega will take the latest version automatically, no further action on that table is needed.

The Kafka hotfix however doesn’t seem correctly installed.Have you tried removing the complete kafka-1.1.04 directory? At startup the stream node should create a kafka-1.1.0.6 directory for you with the updated libraries. Try this first on your test system.

It’s hard to troubleshoot indiviual cases, so please create backups before proceding and consider opening a support ticket.

KimD2729 · December 20, 2021, 2:15pm

@Eric Rietveld Hi Eric - thanks for your reply.

Turns out the hotfix installed kafka-1.1.0.6, which has the 2.15 version of Log4j, which I understand also has a vulnerability.

Will there be another version of the hotfix?

Or should I just delete both the 1.1.04 and 1.1.06 directories and restart?

Thanks,

-Kim

++++++++++++++++++++

kdikke:/opt/tomcat/kafka-1.1.0.6/libs (Sb)> ll log*
-rw-r----- 1 tomcat tomcat 301804 Dec 17 19:27 log4j-api-2.15.0.jar
-rw-r----- 1 tomcat tomcat 1789769 Dec 17 19:27 log4j-core-2.15.0.jar
-rw-r----- 1 tomcat tomcat 24231 Dec 17 19:27 log4j-slf4j-impl-2.15.0.jar

Eric_Rietveld · December 20, 2021, 4:24pm

Hi @KimD2729. Good. You can remove the old directory. The fix you have installed created the 1.1.0.6 kafka bin directory with the 2.15 version of log4j.

We’re indeed working on hotfixes to move to 2.16 (and maybe later), Keep monitoring Pegasystems Documentation for updates.

MendusC9 · December 20, 2021, 7:11pm

@Eric Rietveld can you please explain the details and what the plans are. Should we continue to patch or hold on until new patch is released?

Eric_Rietveld · December 21, 2021, 1:48pm

@MendusC9 please see my post inhttps://collaborate.pega.com/question/log4j-day-zero-vulnerability

VishalS3 · December 30, 2021, 1:27pm

@Eric Rietveld

I have noticed in Security Advisory page the Pega 8 and Pega 7 log4j Hot Fixes links are broken, so we can’t identify what Hot Fix number to request.

Please check.

VishalS3 · December 31, 2021, 12:06am

@VishalS3

Called up Pega Helpline and they have explained that Pega 8 Stream Service Hot Fix includes all required Hot Fixes.

Conversation		Replies	Views
Entry of org/apache/logging/log4j/core still visible after import of Apache Log4j Vulnerability Hotfixes General security , 8-5-2	4	136	December 21, 2021
Apache Log4j 2.17.1 Vulnerability Hotfixes General security , 8-4	2	312	January 31, 2022
Pega on-premises Apache Log4j Zero Day Vulnerability General security , system-administration , financial-services , 7-3-1	6	899	December 21, 2021
Zero-day flaw log4j2 - needs patching General pega-platform , system-architect , security , financial-services	3	274	December 20, 2021
Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16. General pega-platform , security , communications-and-media	2	37	December 20, 2021

Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results?

Related topics