IMPORTANT:  This Advisory has been superceded by a new Advisory which addresses additional Log4j vulnerabilities:  Pega Security Advisory – Apache Log4j 2.17 Vulnerability Hotfixes    

Clients who have not yet applied any Pega Platform hotfixes should go to the new Advisory and apply the correct version of the hotfix from that Advisory.

Clients who have applied one of the hotfixes from this Advisory should also apply the hotfix from the new Advisory.

A zero-day vulnerability was identified in the Apache Log4j logging software on Friday, Dec. 10 (CVE-2021-44228). A related Log4j vulnerability was identified on Tuesday, Dec. 14 (CVE-2021-45046). These vulnerabilities could allow malicious actors to take control of organizational networks using Log4j. The Log4j software is ubiquitously used by most organizations around the world.  

For more detailed information about the vulnerability and its potential impact on Pega software, see Stream Security Advisory - Apache Log4j 2.17 Vulnerability Hotfixes

Pega has created hotfixes for each Platform version to address this vulnerability. 

Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. If you are running Pega Platform software in an on–premises or client-managed cloud environment, please review the table below to determine which hotfix corresponds to your Pegasystems installation. (Note: A hotfix for our Stream service [Kafka] is available separately. See this post for more information.)

Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal. 

As always, we recommend our clients review our Security Checklist regularly.