Skip to main content

Security Advisory

 Brendan Horan (BrendanHoran)
PEGA
Director, GCS Knowledge Management
Pegasystems Inc.
US
BrendanHoran Member since 2011 99 posts
PEGA
Posted: Jan 27, 2022
Last activity: Dec 2, 2022
Posted: 27 Jan 2022 14:19 EST
Last activity: 2 Dec 2022 15:53 EST
Closed

Pega Security Advisory – Pega Platform Apache Log4j 2.17.1 Vulnerability Hotfixes

IMPORTANT:  The most recent Pega Platform patch release for your version is a required prerequisite for this hotfix.  Clients who are not on the latest patch release should apply the 2.17 hotfixes, which are available in the Pega Security Advisory for Apache Log4j 2.17 Vulnerability Hotfixes.  

For clients on the affected versions of Pega 7 (versions 7.3, 7.3.1, and 7.4), the hotfixes in this advisory supercede those in the Pega 7 Hotfix Advisory for Apache Log4j Zero Day Vulnerability.

 

The following vulnerabilities have been identified in Apache Log4j 2 logging software:

 

CVE

Fixed in Apache Log4j version:

CVE-2021-44228

2.15

CVE-2021-45046

2.16

CVE-2021-45105

2.17

CVE-2021-44832

2.17.1

 

For detailed information about the vulnerabilities and their potential impact on Pega software, see Security Advisory: Apache Log4j Zero Day Vulnerability.

The first three vulnerabilities could allow malicious actors to take control of organizational networks using Log4j. The Log4j software is ubiquitously used by most organizations around the world.  The CVE-2021-44832 vulnerability is rated with a CVSS 3.x Base Score of 6.6 Medium, and can only be exploited if the adversary has already gained access to a client’s system through another means (which would indicate a much larger security issue for the organization). 

Pega has created hotfixes based on Apache Log4j 2.17.1 to address the four vulnerabilities listed above.  Pega’s Log4j 2.17.1 hotfixes will only be available for the latest patch release of each Pega Platform version, and clients must evaluate whether they require this fix.  Clients who are on prior patch versions must upgrade to the latest patch version in order to receive and apply this hotfix, or they must apply a 2.17 hotfix from the Apache Log4j 2.17 Vulnerability Hotfixes Advisory. 

(Note: Hotfixes for our Stream service [Kafka] is available separately.  See this post for more information.)  

 

Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. If you are running Pega Platform software in an on–premises or client-managed cloud environment, please review the table below to determine which hotfix corresponds to your Pegasystems installation, and install the appropriate version of this hotfix as soon as possible.  Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal

As always, we recommend our clients review our Security Checklist regularly.

Pega 7

 

Platform Version

Hotfix ID

7.3

HFIX-82370

7.3.1

HFIX-82369

7.4

HFIX-82368

 

Pega Platform – Infinity (Latest Patch Releases)

 

Platform Version

Hotfix ID

8.1.9

HFIX-82367

8.2.8

HFIX-82366

8.3.6

HFIX-82365

8.4.6

HFIX-82364

8.5.5

HFIX-82363

8.6.2

HFIX-82362
To see attachments, please log in.
Security
Security Advisory

Did you find this content helpful?
Yes
No

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice