URGENT and IMMEDIATE action required 

A critical vulnerability was identified in the Apache Commons Text software on October 13, 2022 (CVE-2022-42889).   This vulnerability could allow malicious actors to perform string interpolation to trigger network access or code execution.   

Pega software leverages the Commons Text component in two places in the Pega Platform software.

• Within the Search and Reporting Service (SRS) 
• Within the Decision Strategy Manager (DSM) Text Analytics component 

This vulnerability can affect Pega clients running on versions 8.2.1 through to 8.8 of Pega Infinity.  We are not aware of any of our clients being compromised as a result of this vulnerability.

To block malicious actors from exploiting this vulnerability, Pega has created the I22 Hotfix for each relevant version to remediate this issue.  These are listed in the table below.

As always, be sure you have appropriate backups in place before applying the hotfix. Note that a system restart will be required for the hotfix to take effect.

Clients should deploy the hotfix in a lower environment and test there before propagating across systems. Pega recommends that the hotfix should NOT be committed until you have validated any impact.

As always, we recommend our clients review our Security Checklist regularly.

Pega will be providing more detailed advice to clients via their Client Advisory [CAD-] cases in My Support Portal.