It appears the Pega search 8.6.0 docker image contains ElasticSearch 5.6.14, which uses log4j 2.11.1. It is my understanding that setting the JVM argument -Dlog4j2.formatMsgNoLookups=true is no longer sufficient to fully mitigate the Log4j day zero vulnerability.
The only mitigations available now are to update the library to version 2.16.0 or fully remove the JndiLookup class from the Java applications classpath.
For Pega search, removing the JndiLookup class or replacing the 2.11.1 jars with 2.16.0 jars are not options because when pega-search statefulsets are restarted, new ones are spun up.
Is Pega actively working on a fix for ElasticSearch and log4j versions contained in the Pega search 8.6.0 docker image?
@Eric Rietveld HI again! We are looking for the updated Docker images, can you help with the link for the images? Charter is only seeing image that is 9 months old (see attached). Happy holidays!
However, the 8.5 and 8.5.5 Docker images were fixed.
Please see the explanation on which docker images to use for the fixed versions.
"For versions 8.2 – 8.6, Pega has updated both the main major/minor version of Pegasystems Search (example: “8.5”) and the latest patch version of that major/minor version (example “8.5.5”). Either of these Search Docker images are applicable to all Pega patch versions within the minor version (example: both “8.5” and “8.5.5” apply to 8.5, 8.5.1, 8.5.2, 8.5.3, 8.5.4, and 8.5.5). "
