Close popover

Table of Contents

Configuring the Java injection check

Version:

At design time and at run time, Pega Platform checks activities, functions, and stream and validation rules, for particular Java injection vulnerabilities. Extend the default behavior to check for additional vulnerabilities.

By default, Pega Platform reports errors at design time and run time, and does not run any rule that was created in Pega Platform 8.3 or later and includes any of the following:

  • Runtime.getRuntime()
  • new ProcessBuilder()
  • JavaCompiler
  • org.dita.dost.invoker

For rules that were created before version 8.3, the system behavior depends upon the value of the dynamic system setting security/enableJavaInjectionMitigation.

  • If a vulnerability is found and the dynamic system setting is not defined or is false, the rule runs and security alert SECU0018 appears on the security alert log.
  • If a vulnerability is found and the dynamic system setting is true, an error is reported and the rule does not run.

Extend the default behavior with the following these steps:

  1. Optional:

    To prevent running vulnerable rules that were created before version 8.3, set the dynamic system setting security/enableJavaInjectionMitigation in the owning ruleset Pega-Engine to true.

  2. Optional:

    To check for Java injection vulnerabilities in addition to the default checks listed above, set the JVM system property named JavaInjection equal to a comma-delimited list of patterns to flag as vulnerabilities.

    -DJavaInjection="new Foo()"

  • Mitigating common security vulnerabilities

    In addition to the policies on the Security Policies landing page, Pega Platform offers additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and others. Use these features to ensure that your system is as secure as possible.

  • Configuring dynamic system settings

    As a best practice, set system configuration settings by using dynamic system settings data instances. For example, you can use a dynamic system settings to configure which fields are available in full-text search. Dynamic system settings are stored in the Pega Platform database and are used by all nodes that share that database.

Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.