Pega on-premises Apache Log4j Zero Day Vulnerability

Brahmesh · December 13, 2021, 9:40pm

For Pega on-premises (MLP 7.3.1 / Tomcat )

Followed the instructions mentioned in the security advisory document (Pegasystems Documentation)..

Executed the delete statement ( delete from pegarules.pr_engineclasses where pzclass = ‘JndiLookup.class’ and pzpackage = ‘org/apache/logging/log4j/core/lookup’;
Searched for the files starting with log4j in the application server directory and could see only two jars log4j-core-2.3 & log4j-api-2.3 in the directory (Pega7.31\scripts\lib) so just replace them with the latest jars (log4j-api-2.15.0.jar & log4j-core-2.15.0.jar )
If the system is configured with SMA then need to replace the log4j-api-2.x jar at \Tomcat\webapps\prsysmgmt\WEB-INF\lib.

Since Jar files are replaced with the latest version, Do we need to update any reference/dependency files which are referring to log4j2 jars in the system?

Brahmesh · December 15, 2021, 6:45pm

Systems are already updated with 2.15.0 .

As per the latest update Pegasystems Documentation,

Need to upgrade it to 2.16.0. Is it still not safe to be in 2.15.0?

Eric_Rietveld · December 16, 2021, 3:17pm

Hi @Brahmesh@, there were additional vulnerabilities uncovered in 2.15, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 , so when you have a chance please update to 2.16

Brahmesh · December 17, 2021, 11:04am

@Eric Rietveld Thanks for the response ..Upgraded it to latest version 2.16.0 , Still Is hotfix required?

I see the hotfix available for Pega 8. X as I don’t see any hotfix is suggested for Pega7.X

Eric_Rietveld · December 17, 2021, 11:31am

@Brahmesh@ Hotfixes will be made available for the affected Pega 7 versions as well.

Brahmesh · December 21, 2021, 8:22am

@Eric Rietveld So far, we removed the JNDI class and updated log4j jars to 2.16 . As per CVE-2021-45105, log4j 2.17 is also released. Do we need to update log4j jars to this latest version? Do we need to wait for confirmation from Pega about testing 2.17.0.

As per Pega article(Pegasystems Documentation) ,Still it says 2.16.0

log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
(possibly) kafka-log4j-appender-1.1.0.jar

NOTE: The 2.16.0 versions of these files are the latest version that Pega has tested.

Eric_Rietveld · December 21, 2021, 2:06pm

@Brahmesh@, there’s no urgency in patching the libs from 2.16 to 2.17. I suggest to wait and monitor our publications as the story unfolds. See also my other posting on this.

Can you mark this question as addressed for now?

Conversation		Replies	Views
Zero-day flaw log4j2 - needs patching General pega-platform , system-architect , security , financial-services	3	274	December 20, 2021
Apache Log4j 2.17.1 Vulnerability Hotfixes General security , 8-4	2	312	January 31, 2022
Log4j day zero vulnerability - Pega Search General security , 8-6	3	275	February 25, 2022
Entry of org/apache/logging/log4j/core still visible after import of Apache Log4j Vulnerability Hotfixes General security , 8-5-2	4	136	December 21, 2021
Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results? General security , 8-5-2	7	299	December 31, 2021

Pega on-premises Apache Log4j Zero Day Vulnerability

Related topics