Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has identified a medium security vulnerability in all versions of Pega platform. Pega has created the A22 Hotfix for each relevant version to remediate this issue.
Pega has reassessed the impact of the vulnerability based on additional testing. A22 has been re-scored as medium on the CVSS scale. The re-scoring considered that the user must be an authenticated trusted developer. Based on the revised score, Pega is no longer mandating A22 and is leaving the decision to apply A22 to our clients.
As was communicated previously regarding the A22 hotfix, Pega has explored alternative options to secure your application. As a result, Pega is releasing a new set of A22 hotfixes. Pega Cloud® environments running the relevant Pega versions will have the hotfix proactively installed by Pega.
If you are an on–premises client, and choose to apply the A22 Hotfix, please review the table below to determine which hotfix corresponds to your Pega Platform installation. Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal.
Clients should deploy the hotfix in a lower environment and test there before propagating across systems. Pega recommends that the hotfix should NOT be committed until you have validated any impact.
As with all hotfixes, please make sure you have appropriate backups.
Pega will be providing more detailed advice to clients via their Client Advisory [CAD-] cases in My Support Portal.
Clients on version 7.2.2, who take HFIX-83159, must follow the steps provided to ensure that the hotfix and its dependencies are installed correctly.
- HFIX-31757 requires manual steps. Please see: BouncyCastle support - HFIX31757 - Pega version 7.2.2
Clients running a Pega version prior to 7.2 are required to upgrade to a version greater than 7.2. If an upgrade is not feasible at this time, please contact GCS support to discuss other options.
As always, we recommend clients review our Security Checklist regularly.
This post has been updated 7 September 2022
- Added the following link: BouncyCastle support - HFIX31757 - Pega version 7.2.2
This post has been updated on 28 June 2022, updates include:
- Added 8.6.4 to hotfix table
This post has been updated on 29th April 2022, updates include:
- Table updated with a new list of A22 hotfixes.
- Pega Cloud® environments running the relevant Pega versions will have the latest A22 hotfix proactively installed by Pega. Please refer to your Client Advisory [CAD-] cases in My Support Portal for more details
This post has been updated on 14th April 2022, updates include:
- Rescore the vulnerability from high to medium on the CVSS scale
- A22 hotfixes are no longer being proactively applied to Pega Cloud® environments
Pega Version |
Hotfix Number |
7.2 |
HFIX-83161 |
7.2.1 |
HFIX-83160 |
7.2.2 |
HFIX-83159 |
7.3 |
HFIX-83158 |
7.3.1 |
HFIX-83157 |
7.4 |
HFIX-83156 |
8.1 |
HFIX-83155 |
8.1.1 |
HFIX-83154 |
8.1.2 |
HFIX-83152 |
8.1.3 |
HFIX-83151 |
8.1.4 |
HFIX-83150 |
8.1.5 |
HFIX-83149 |
8.1.6 |
HFIX-83148 |
8.1.7 |
HFIX-83147 |
8.1.8 |
HFIX-83146 |
8.1.9 |
HFIX-83145 |
8.2.1 |
HFIX-83144 |
8.2.2 |
HFIX-83143 |
8.2.3 |
HFIX-83142 |
8.2.4 |
HFIX-83141 |
8.2.5 |
HFIX-83140 |
8.2.6 |
HFIX-83139 |
8.2.7 |
HFIX-83138 |
8.2.8 |
HFIX-83137 |
8.3.0 |
HFIX-83136 |
8.3.1 |
HFIX-83135 |
8.3.2 |
HFIX-83134 |
8.3.3 |
HFIX-83133 |
8.3.4 |
HFIX-83132 |
8.3.5 |
HFIX-83131 |
8.3.6 |
HFIX-83130 |
8.4.0 |
HFIX-83129 |
8.4.1 |
HFIX-83128 |
8.4.2 |
HFIX-83127 |
8.4.3 |
HFIX-83126 |
8.4.4 |
HFIX-83125 |
8.4.5 |
HFIX-83124 |
8.4.6 |
HFIX-83123 |
8.5.1 |
HFIX-83122 |
8.5.2 |
HFIX-83121 |
8.5.3 |
HFIX-83120 |
8.5.4 |
HFIX-83119 |
8.5.5 |
HFIX-83118 |
8.5.6 |
HFIX-83117 |
8.6.0 |
HFIX-83116 |
8.6.1 |
HFIX-83115 |
8.6.2 |
HFIX-83114 |
8.6.3 |
HFIX-83113 |
8.6.4 | HFIX-83480 |
8.7 |
HFIX-83112 |
8.7.1 |
HFIX-83111 |