Hotfixes for Kafka Log4j 2.17.1 were built to remove the older Log4j jars for 2.15 and 2.17 from Pega Platform, so they could not be accidently referenced in the future. However, if a client runs the Kafka 2.17.1 hotfix more than once, it could reintroduce the Log4j version 2.15 jar file, which has reported vulnerabilities.
The below hotfixes provide a fix for this problem. Pega strongly encourages you to apply the appropriate version of these hotfixes to your system, even if you have applied previous hotfixes. This ensures that you are running the latest version of the Kafka Log4j 2.17.1 code, and also protects you from the reintroduction of the Log4j vulnerability if the prior hotfixes had been inadvertently applied multiple times.
NOTE: This applies only to the Kafka hotfixes; the Pega Cloud installations and the Pega Platform hotfixes are not affected.
Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. If you are running Pega Platform software in an on–premises or client-managed cloud environment, please review the table below to determine which hotfix corresponds to your Pegasystems installation, and install the appropriate version of this hotfix as soon as possible. Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal.
As always, we recommend our clients review our Security Checklist regularly.
Version |
Hotfix |
8.1.9* |
HFIX-82639 |
8.2.8* |
HFIX-82606 |
8.3.6 |
HFIX-82638 |
8.4.6 |
HFIX-82637 |
8.5.5 |
HFIX-82636 |
8.6.2 |
HFIX-82635 |
8.7** |
HFIX-82532 |
* Kafka was updated in the 8.1.9 and 8.2.8 patch releases to use Log4j2. The Kafka that ships with Pega Platform version 8.1 and the patch releases 8.1.1 - 8.1.8, and also the 8.2 release and the 8.2.1-8.2.7 patch releases, include the log4j-1.2.17.jar and is covered by the Apache Log4j 1.2 JMSAppender Vulnerability advisory.
**The Pega Platform 8.7 release provided version 2.17.1 Log4J for the Pega Platform software, but included the older 2.17 version of Log4j for Kafka. This hotfix updates that version to the latest 2.17.1 version for Kafka.