For On-Premises clients only.
(Pega has already mitigated this vulnerability for Pega Cloud and Pega Cloud for Government clients.)
Pega continually works to implement security controls designed to protect client environments.
With this focus, Pega has issued hotfixes for a critical security vulnerability in Pega Platform, which impacts Pega Platform versions 8.1.0 and higher. We would like to thank Marcin Wolak at RaboBank for finding this vulnerability.
For on-premises clients, there is the potential for malicious actors to run Remote Code Execution using the JMX interface on Cassandra and Kafka in situations where clients leave unneeded network ports exposed. Clients could mitigate this vulnerability by closing all unneeded ports, but any future infrastructure changes could re-expose the client; therefore, Pega strongly recommends that clients install the hotfix to reduce the risk of accidental exposure.
To block malicious actors from exploiting this vulnerability, Pega has created the B22 Hotfix for each relevant version to remediate this issue. If you are an on–premises client, please review the table below to determine which hotfix corresponds to your Pegasystems installation. Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfix. Note that a system restart will be required for the hotfix to take effect; also, clients must ensure they are running Java version 8u111 or later.
As always, we recommend our clients review our Security Checklist regularly.