Common Vulnerabilities and Exposures (CVE) has announced the CVE-2022-24082 vulnerability related to the Pega Platform's Java Management Extensions (JMX) port. This vulnerability can have severe consequences if left unpatched on your on-premise installation of the Pega Platform.
In this post, we'll deep dive into what this vulnerability entails, including its potential impact, how to detect it, and measures to take to ensure your system is secure. This long-read post includes code snippets, links to original references, and exploit details to help you understand the issue and how to properly address it to avoid security breaches.
Please note: This vulnerability does not affect systems running on PegaCloud due to its design and architecture.
Understanding the Vulnerability
CVE-2022-24082 concerns an on-premise installation of the Pega Platform configured with the JMX (Java Management Extensions) interface port exposed to the Internet. If your system has this configuration and lacks proper port filtering, attackers could potentially upload serialized payloads and compromise the underlying system.
How it works
The vulnerability stems from the JMX interface used for monitoring, managing, and configuring Java applications. When the port for the JMX interface is exposed to the Internet without adequate filtering, it can be exploited by malicious actors who can upload malicious payloads via serialized objects.
The following code snippet shows a sample payload that an attacker might use
package com.example.exploit;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.util.Base64;
public class MaliciousPayload {
public static void main(String[] args) throws Exception {
FileOutputStream f = new FileOutputStream("payload.bin");
ObjectOutputStream objOut = new ObjectOutputStream(f);
String payload = "eyJeXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMNTY3ODkwIiwibmFtZSI6IkpvaG5Eb2UiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTYxNzENzA2Mn.RVzVc6BxyDrul_9WBx_LqnBwkxVcCb1xHN_F2YwDDSg";
byte[] decodedPayload = Base64.getDecoder().decode(payload);
objOut.write(decodedPayload);
objOut.flush();
objOut.close();
}
}
Exploit Details
In our scenario, attackers gain access to your system by sending a specially crafted payload such as the one shown in the code snippet above. Once they've gained this unauthorized access, they could use this vulnerability to modify important system configurations, exfiltrate data, or even perform a full takeover of the affected system.
Detection
To identify if your Pega Platform deployment is at risk, you'll first need to check whether your JMX interface is exposed to the Internet. You can verify this by running the following command:
netstat -an | grep [port_number]
Replace [port_number] with the specific port number associated with your JMX configuration. If the command's output shows that your system is listening on that specific port and the remote address is open, you should consider your JMX interface exposed to the Internet.
Mitigation and Patching
Pegasystems has released a patch to address CVE-2022-24082. To safeguard your system, it is essential that you apply the patch as soon as possible. You can find the patch on the Pega support page: Pega Platform Patch Release
In addition to applying the patch, consider following best practices
1. Limit JMX interface exposure by ensuring proper firewall and port filtering configurations are in place. Restrict access to the JMX port to a whitelist of trusted IP addresses or subnets.
Regularly review your logs for any unauthorized access attempts or suspicious activity.
3. Follow Pega Platform Hardening Guide to enhance your platform's overall security posture.
Conclusion
CVE-2022-24082 is a critical vulnerability that affects on-premise installations of the Pega Platform with improperly filtered JMX interface ports. It is crucial to take immediate action to patch your system and follow best practices to minimize the risk of a security breach.
Remember, systems running on PegaCloud are unaffected by this vulnerability, thanks to their specialized design and architecture.
For the most up-to-date information and further support, visit the Pega Platform Security page to stay informed on any related updates or announcements.
Timeline
Published on: 07/19/2022 15:15:00 UTC
Last modified on: 07/27/2022 22:41:00 UTC