Zero-day flaw log4j2 - needs patching

angelf21 · December 10, 2021, 10:10pm

How do I find what version of Log4J2 we have installed and after that, how do we upgrade it?

There is a zero-day flaw that needs patching:

Anish · December 11, 2021, 7:03am

Hello,

Have we got any more info on this and the impacts?

Please share if you have got any info on how to upgrade it to 2.15.

ClaimsC4 · December 12, 2021, 5:09am

This is the latest update from Pega.

angelf21 · December 20, 2021, 5:02pm

The latest from PEGA is on how to delete jars from database and update Pega_Stream, and that a hotfix is TBD

Their recommendations are here: Pegasystems Documentation

As of today, the new version of log4j is actually 2.17.x

Conversation		Replies	Views
Pega on-premises Apache Log4j Zero Day Vulnerability General security , system-administration , financial-services , 7-3-1	6	890	December 21, 2021
Apache Log4j 2.17.1 Vulnerability Hotfixes General security , 8-4	2	309	January 31, 2022
Log4j day zero vulnerability - Pega Search General security , 8-6	3	271	February 25, 2022
Log4j (I see this running on the Hotfixed nodes) is still vulnerable at version 2.16. General pega-platform , security , communications-and-media	2	36	December 20, 2021
Apache Log4j Zero Day Vulnerability Hotfixes - Expected Results? General security , 8-5-2	7	296	December 31, 2021