IMPORTANT: This Advisory has been superseded by a new Advisory which addresses additional Log4j vulnerabilities: Stream Security Advisory - Apache Log4j 2.17 Vulnerability Hotfixes
Clients who have not yet applied any Stream hotfixes should go to the new Advisory and apply the correct version of the hotfix from that Advisory.
Clients who have applied one of the hotfixes from this Advisory should also apply the hotfix from the new Advisory.
A zero-day vulnerability was identified in the Apache Log4j logging software on Friday, Dec. 10 (CVE-2021-44228). A related Log4j vulnerability was identified on Tuesday, Dec. 14 (CVE-2021-45046). These vulnerabilities could allow malicious actors to take control of organizational networks using Log4j. The Log4j software is ubiquitously used by most organizations around the world.
For more detailed information about the vulnerability and its potential impact on Pega software, see Security Advisory: Apache Log4j Zero Day Vulnerability.
Pega has created hotfixes (based on Apache Log4j 2.15) for our Stream service (Kafka) to address the CVE-2021-44228 vulnerability. The hotfixes follow the Pega Platform versioning. Please install the appropriate version of this hotfix as soon as possible.
The Stream service hotfixes to address CVE-2021-45046 (based on Apache Log4j 2.16) are still in development, and will be made available in a separate Hotfix Advisory.
Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. If you are running Pega Platform software in an on–premises or client-managed cloud environment, please review the table below to determine which hotfix corresponds to your Pegasystems installation.
Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal.
As always, we recommend our clients review our Security Checklist regularly