Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for one Critical security vulnerability in Pega Platform.
We would like to acknowledge Daniel Wiseman from Commonwealth Bank of Australia for finding this vulnerability.
Advisory |
Description |
Impact |
Remediation |
---|---|---|---|
D24 |
Improper Control of Generation of Code |
Critical: Improper Control of Generation of Code may allow an attacker to craft the code in such a way that it will alter the intended control flow of the product
|
Hotfixes: 8.1.9, 8.2.8, 8.3.6, 8.4.6, 8.5.6, 8.6.6 8.7.0 to 8.7.6 8.8.0 to 8.8.5 23.1.0 to 23.1.3 Patch Releases: 23.1.4 patch release 24.1.2 patch release 24.2 patch release
|
We are not aware of any of our clients being compromised as a result of this vulnerability.
Hotfixes are being provided for the clients running on Pega Platform 8.7.0 and higher. We are also providing hotfixes for clients on 8.1.x to 8.6.x in the latest patch release only (e.g. 8.1.9, 8.2.8, 8.3.6, 8.4.6, 8.5.6, 8.6.6). We will not provide hotfixes on versions of the platform prior to 8.x. In addition, steps are not available as part of a local change.
We urge your organization to update as soon as possible.
In 2022, Pega issued the A22 Security Advisory. The D24 advisory extends the A22 advisory by addressing additional use cases and allows the java injection protection to be controlled by an admin and not just developers.
Please refer to your Client Advisory (CAD-), sent 22nd Oct 2024, for specific details on the behavior of the hotfix.
If you are a Pega Cloud® client, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments and will provide the schedule of when the hotfixes will be applied. If you are not on a version with a solution provided, you need to upgrade as soon as possible.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the relevant hotfix, which will be applied by Pega.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, you can now download your hotfix directly from My Security Hotfixes on My Pega.
Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on November 20th, 2024. In order to give all Pega clients time to patch their on-premises systems, we request that clients not discuss this in public forums until after it’s been publicly posted.
As always, we recommend our clients review our Security Checklist regularly.
Issue Details
Issue Details |
Improper Control of Generation of Code |
---|---|
Software/Product |
Pega Platform |
Affected Version(s) |
From 6.x to 24.1.1 |
CVE |
CVE-2024-10094 |
CVSS Rating |
9.1 (Critical) |
Description |
Improper Control of Generation of Code |
Hotfixes
A Hotfix is being created as noted above for the following releases: All Pega Platform 8.7.0 and higher along with 8.1.9, 8.2.8, 8.3.6, 8.4.6, 8.5.6, and 8.6.6. We will not provide hotfixes on versions of the platform prior to 8.7.0 except for the six noted above. You should upgrade as soon as possible. Steps are not available as part of a local change.
A restart will be needed for the hotfix changes to apply.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security and bug fixes. See Keeping current with Pega.
Version |
Hotfix |
---|---|
8.1.9 |
HFIX-B2681 |
8.2.8 |
HFIX-B2682 |
8.3.6 |
HFIX-B2683 |
8.4.6 |
HFIX-B2684 |
8.5.6 |
HFIX-B2685 |
8.6.6 |
HFIX-B2686 |
8.7.0 |
HFIX-B2726 |
8.7.1 |
HFIX-B2725 |
8.7.2 |
HFIX-B2724 |
8.7.3 |
HFIX-B2723 |
8.7.4 |
HFIX-B2722 |
8.7.5 |
HFIX-B2721 |
8.7.6 |
HFIX-B2687 |
8.8.0 |
HFIX-B2660 |
8.8.1 |
HFIX-B2659 |
8.8.2 |
HFIX-B2658 |
8.8.3 |
HFIX-B2657 |
8.8.4 |
HFIX- B2656 |
8.8.5 |
HFIX-B2688 |
23.1.0 |
HFIX-B2689 |
23.1.1 |
HFIX-B2690 |
23.1.2 |
HFIX- B2691 |
23.1.3 |
HFIX-B2692 |
24.1.0 |
HFIX-B2693 |
24.1.1 |
HFIX-B2694 |
Mitigations:
Pega strongly recommends clients running Pega Platform 6.x, 7.x, and 8.x systems to upgrade to the latest patch versions to take advantage of the latest features, capabilities, security, and bug fixes as described here: Keeping Current with Pega.
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.