HFIX-B2898 Installation

SteveS39 · February 13, 2025, 8:56pm

Pega 8.8.3, added HFIX-B2898 to 4 non-production environmnets, 1 is producing this error: Java code injection pattern identified in the java source code. Vulnerable code detected: java.lang.reflect.Array.getLength(paramVal);AddthetypeandarrayTypeattributesparamElem.addAttribute(“type”,“soapenc:Array”,xsiNS);paramElem.addAttribute(“arrayType”,“xsd:”+arrayType+‘[’+arrayLength+‘]’,soapencNS);Createanitemelementforeacharrayvaluefor(intj=0;j<arrayLength;j++){ObjectarrayVal=java.lang.reflect.Array.get(paramVal,j);com.pega.apache.axiom.om.OMElementitemElem=omFactory.createOMElement(“item”,blankNS,paramElem);CreateastringvaluewiththecorrectformatStringstringVal=“”;if(arrayType.equals(“date”)){if(arrayValinstanceofjava.util.Date)stringVal=PRDateFormat.formatXSDDate((java.util.Date)arrayVal);elsethrownewConnectorException("UnexpectedtypeforX

How do I fix this?

RameshSangili · February 14, 2025, 1:19am

@SteveS39

I recommend creating an INC ticket (Product Support ticket) if there is an error due to HFIX.

Sairohith · February 14, 2025, 5:07am

@SteveS39This error message is a false alarm and does not mean your system is actually vulnerable. The code uses reflection methods like java.lang.reflect.Array.getLength, which are safe when used correctly by the HFIX‑B2898 patch. First, verify that the patch is properly installed in the environment showing the error. Next, check for any custom changes that might have accidentally introduced unsafe code. If everything looks normal, you can safely ignore the warning. It is common for security scanners to flag these patterns even when they are secure. In many cases, you can add an exception to your security scanner for this message. Thanks

MarijeSchillern · February 14, 2025, 12:25pm

@SteveS39 as @RameshSangili correctly suggested, please log an INC via the MSP in order to determine if it was the HFix that caused the issue, and to make sure what actions are required.

Please provide the INC ticket ID in a reply here, so that we can track the issue.

SteveS39 · February 14, 2025, 7:42pm

@MarijeSchillern Our ticket number is INC-C6657. Our dev team is currently working with Pega Support as well. Thanks for your help and recommendations.

Conversation		Replies	Views
Required HFIX-83580 hotfix General security , installation-and-deployment , 8-2-8	1	94	July 23, 2022
I need HFIX-B2891 for Pega Platform version 24.2.1, Pega provided me with wrong version in HF-C976. How can I open an incident to get the correct version. General pega-platform , 24-2-1	1	77	March 12, 2025
Entry of org/apache/logging/log4j/core still visible after import of Apache Log4j Vulnerability Hotfixes General security , 8-5-2	4	136	December 21, 2021
java.io.IOException: java.lang.reflect.InvocationTargetException General pega-platform , java-and-activities , 8-8-2	1	105	December 16, 2024
page not found for pega 8 log 4j 2.17 hotfix details General security , updates , 8-4-1	3	82	January 5, 2022

HFIX-B2898 Installation

Related topics