Skip to main content

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Configuring the Java injection check

Suggest edit Updated on July 1, 2021

At design time and at run time, Pega Platform checks activities, functions, and stream rules for particular Java injection vulnerabilities.

Pega Platform reports errors at design time and run time, and does not run any activity, function, or stream rule that was created in Pega Platform 8.3 or later and includes any of the following commands:
  • Runtime.getRuntime()
  • new ProcessBuilder()
  • JavaCompiler
  • org.dita.dost.invoker

For rules that were created before version 8.3, the system behavior depends upon the value of the dynamic system setting security/enableJavaInjectionMitigation.

  • If a vulnerability is found and the dynamic system setting is not defined or is false, the rule runs and security alert SECU0018 appears on the security alert log.
  • If a vulnerability is found and the dynamic system setting is true, an error is reported and the rule does not run.

Important: As a security best practice, set the dynamic system setting security/enableJavaInjectionMitigation in the owning ruleset Pega-Engine to true to prevent running vulnerable rules.

Optional: To check for Java injection vulnerabilities in addition to the default checks listed above, set the JVM system property named JavaInjection equal to a Regex pattern to flag as vulnerabilities. For Example: -DJavaInjection="new Foo()"

Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us