CVE-2022-24082: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2022-24082) was discovered in Pega Platform versions 8.1.0 and higher, related to insecure deserialization. The vulnerability was discovered by Marcin Wolak at RaboBank and disclosed in July 2022. The issue affects on-premises installations of Pega Platform, while PegaCloud systems were not impacted due to their design (Pega Support).

The vulnerability is classified as CWE-502 (Deserialized Untrusted Data) and allows potential upload of serialized payloads that could be used to attack the underlying system. The vulnerability specifically involves the JMX interface on Cassandra and Kafka components, which could be exploited when network ports are left exposed (NVD, Pega Support).

For on-premises clients, there is the potential for malicious actors to execute Remote Code Execution (RCE) using the JMX interface on Cassandra and Kafka in situations where clients leave unneeded network ports exposed (Pega Support).

Pega has released the B22 Hotfix series for all affected versions to remediate this vulnerability. While clients could mitigate the vulnerability by closing all unneeded ports, Pega strongly recommends installing the appropriate hotfix to prevent accidental exposure. The fix requires Java version 8u111 or later and necessitates a system restart after installation. PegaCloud and Pega Cloud for Government clients are automatically protected as Pega has already implemented mitigations for these environments (Pega Support).