CVE-2022-24082
📋 TL;DR
CVE-2022-24082 allows remote code execution on Pega Platform installations by exploiting insecure JMX interface exposure. Attackers can upload serialized payloads to execute arbitrary code on the underlying system. Only affects on-premise installations; PegaCloud deployments are not vulnerable due to their architecture.
💻 Affected Systems
- Pega Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal data, deploy ransomware, or pivot to other systems.
Likely Case
Remote code execution leading to data exfiltration, installation of backdoors, or cryptomining malware.
If Mitigated
No impact if JMX interface is properly secured and not exposed to untrusted networks.
🎯 Exploit Status
Public exploit code available on Packet Storm Security; exploitation requires network access to JMX port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.7.4 or later (check vendor advisory for specific hotfix versions)
Vendor Advisory: https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0
Restart Required: Yes
Instructions:
1. Review Pega Security Advisory B22. 2. Apply recommended hotfix for your version. 3. Restart Pega services. 4. Verify JMX interface is properly secured.
🔧 Temporary Workarounds
Restrict JMX Network Access
linuxConfigure firewall rules to restrict access to JMX port (default 1099) to trusted management networks only.
# Example iptables rule: iptables -A INPUT -p tcp --dport 1099 -s trusted_ip_range -j ACCEPT
# Then: iptables -A INPUT -p tcp --dport 1099 -j DROP
Disable JMX Remote Access
allConfigure Pega Platform to disable remote JMX access if not required for operations.
# Edit pega configuration to set: com.sun.management.jmxremote=false
# Or use Java options: -Dcom.sun.management.jmxremote=false
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block all external access to JMX port (default 1099/TCP).
- Deploy network intrusion detection systems to monitor for serialization attack patterns on JMX traffic.
🔍 How to Verify
Check if Vulnerable:
Check if JMX port (default 1099) is exposed to untrusted networks using nmap: nmap -p 1099 target_ipCheck Version:
Check Pega Platform version through admin interface or configuration files.Verify Fix Applied:
Verify JMX port is not accessible from untrusted networks and confirm Pega version is patched.📡 Detection & Monitoring
Log Indicators:
- Unusual JMX connection attempts
- Serialization errors in application logs
- Unexpected Java process execution
Network Indicators:
- Traffic to JMX port (1099) from untrusted sources
- Serialized Java object patterns in network traffic
SIEM Query:
source_port=1099 OR dest_port=1099 | stats count by src_ip, dest_ip🔗 References
- http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html
- https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0
- http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html
- https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0
