Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16.

kuchj1 · December 20, 2021, 3:53pm

Client reporting question below, is this expected behavior?

1. Per Robert Clause, 12/20, Seems Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16.
  1. NVD - CVE-2021-45105 (nist.gov)
    1. Details: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Eric_Rietveld · December 20, 2021, 5:04pm

Hi @kuchj1, yes, the hotfix you installed will bring you to log4j version 2.16. We’ll be shipping 2.17 based patches soon. Please keep monitoring Pegasystems Documentation

kuchj1 · December 20, 2021, 5:33pm

@Eric Rietveld thank you and happy holidays!

Conversation		Replies	Views
Apache Log4j 2.17.1 Vulnerability Hotfixes General security , 8-4	2	312	January 31, 2022
Zero-day flaw log4j2 - needs patching General pega-platform , system-architect , security , financial-services	3	274	December 20, 2021
Pega on-premises Apache Log4j Zero Day Vulnerability General security , system-administration , financial-services , 7-3-1	6	899	December 21, 2021
Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results? General security , 8-5-2	7	299	December 31, 2021
Log4j day zero vulnerability - Pega Search General security , 8-6	3	275	February 25, 2022

Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16.

Related topics