The following zero-day vulnerabilities were identified in the Apache Log4j logging software:
These vulnerabilities could allow malicious actors to take control of organizational networks using Log4j. The Log4j software is ubiquitously used by most organizations around the world. For more detailed information about the vulnerability and its potential impact on Pega software, see Security Advisory: Apache Log4j Zero Day Vulnerability.
Apache has created different versions of the fixes for the mitigation of these vulnerabilities, depending upon the Java version used. (See https://logging.apache.org/log4j/2.x/ )
Since Pega Platform 7.x supports both Java 7 and Java 8, our hotfix is based on Apache Log4j version 2.12.3, which will mitigate vulnerabilities in Pega 7 versions for clients using both Java 7 and Java 8.
Clients running Pega Platform 7.x should please submit a hotfix request using My Support Portal.
As always, we recommend our clients review our Security Checklist regularly.
Platform Version |
Hotfix ID |
7.3 |
HFIX-82289 |
7.3.1 |
HFIX-82288 |
7.4 |
HFIX-82287 |