IMPORTANT: For clients running the current Pega Plaform patches, the Stream Security Advisory for Pega Platform Apache Log4j 2.17.1 Vulnerability Hotfixes is also available.
Clients who are not on the latest patch release should apply the 2.17 hotfixes in this Advisory, which are available for all 8.x versions of Pega Platform.
NOTE: This Advisory supersedes the Stream Security Advisory for Apache Log4j.
The following vulnerabilities have been identified in Apache Log4j 2 logging software:
|
CVE |
Fixed in Apache Log4j version: |
|
2.15 |
|
|
2.16 |
|
|
2.17 |
These vulnerabilities could allow malicious actors to take control of organizational networks using Log4j. The Log4j software is ubiquitously used by most organizations around the world.
For detailed information about the vulnerability and its potential impact on Pega software, see Security Advisory: Apache Log4j Zero Day Vulnerability.
Pega has created hotfixes based on Apache Log4j 2.17 for our Stream service (Kafka) to address the three vulnerabilities listed above. The hotfixes follow the Pega Platform versioning.
Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. If you are running Pega Platform software in an on–premises or client-managed cloud environment, please review the table below to determine which hotfix corresponds to your Pegasystems installation, and install the appropriate version of this hotfix as soon as possible.
NOTE: All on-premises or client-managed cloud clients should apply this latest Stream service hotfix, even if they had applied an earlier Stream service hotfix, as this hotfix addresses all the above vulnerabilities.
Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal.
As always, we recommend our clients review our Security Checklist regularly.
|
Platform Version |
Hotfix ID |
| 8.1.9* | HFIX-82142 |
|
8.3.0 |
HFIX-82143 |
|
8.3.1 |
HFIX-82144 |
|
8.3.2 |
HFIX-82145 |
|
8.3.3 |
HFIX-82146 |
|
8.3.4 |
HFIX-82147 |
|
8.3.5 |
HFIX-82148 |
|
8.3.6 |
HFIX-82149 |
|
8.4.0 |
HFIX-82190 |
|
8.4.1 |
HFIX-82191 |
|
8.4.2 |
HFIX-82192 |
|
8.4.3 |
HFIX-82193 |
|
8.4.4 |
HFIX-82194 |
|
8.4.5 |
HFIX-82195 |
|
8.4.6 |
HFIX-82196 |
|
8.5.1 |
HFIX-82197 |
|
8.5.2 |
HFIX-82198 |
|
8.5.3 |
HFIX-82199 |
|
8.5.4 |
HFIX-82200 |
|
8.5.5 |
HFIX-82201 |
|
8.6.0 |
HFIX-82202 |
|
8.6.1 |
HFIX-82203 |
|
8.6.2 |
HFIX-82204 |
* Kafka was updated in just the 8.1.9 patch release to use Log4j2. The Kafka that ships with Pega Platform version 8.1 and the patch releases 8.1.1 - 8.1.8, and also the 8.2 release and the 8.2.x patch releases, includes the log4j-1.2.17.jar and is covered by the Apache Log4j 1.2 JMSAppender Vulnerability advisory.