Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Security Advisory: Apache Log4j 1.2 JMSAppender vulnerability

Updated on December 22, 2021


This content applies to On-premises, Client-managed cloud and Pega Cloud environments

A vulnerability was identified in the JMSAppender in Apache Log4j logging software version 1.2 (CVE-2021-4104).  This vulnerability would allow malicious actors to take control of organizational networks using Log4j.  The Log4j software is ubiquitously used by most organizations around the world.

This older version of Log4j is used in older Pega Platform versions prior to Version 7.3.  The standard file appenders and the prlogging.xml configuration file that ship with these older Pega Platform versions have been tested, and do not meet the configuration criteria defined by the CVE-2021-4104 vulnerability. 

NOTE:  For Pega Platform versions 7.3.x and later, please see the Security Advisory:  Apache Log4j Zero Day Vulnerability

Pega Cloud clients should not be able to edit this file and add their own appenders, so they do not meet the configuration criteria defined by the CVE-2021-4104 vulnerability. 

Note: This issue does not require a hotfix from Pega.

For Pega clients who are using on-premises or self-managed cloud installations:  If a client has customized their prlogging.xml file and have added their own appender to that configuration (where that custom appender uses Pega’s shipped JMSAppender appender class), they may be vulnerable.  In this situation, clients are strongly urged to disable and remove that appender and use the standard console or file appenders that are shipped out-of-the-box.

Pega also strongly recommends that clients running on these older versions of Pega Platform upgrade to our current Pega Infinity (8.x) series, which has the latest security and functionality.

  • Previous topic Pega Security Advisory – C20 Hotfix
  • Next topic Security Advisory: Apache Log4j JNDI Zero Day Vulnerability

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us