INC-194287 · Issue 681065
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.7
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
SR-B56648 · Issue 315674
Added security check when running out-of-the-box reports with ShowSelectorView
Resolved in Pega Version 7.3.1
A security issue was found where non-authorized users were able to access the out-of-the-box report details in their portal by manipulating the URL to pass a "short-cut" parameter that executed the Final "ShowSelectorView" activity. To avoid the need to set the explicit privileges manually, the ShowSelectorView activity will call a security check to prevent this.
SR-D43272 · Issue 516441
Local user lookup modifed to use requestor level data page to improve performance
Resolved in Pega Version 8.4
In a system with many users (over 40k), attempting to search for a user to send a private message was taking an excessive amount of time. Analysis found that all of the users were being loaded at once in a page list of type Code-Pega-List. This led to errors indicating the Page List property had more elements than the specified threshold, but pagination could not be added as the activity and RD are final. To improve performance, this process has been modified to use a data page at the requestor level instead.
SR-D43272 · Issue 516440
Local user lookup modifed to use requestor level data page to improve performance
Resolved in Pega Version 8.2.5
In a system with many users (over 40k), attempting to search for a user to send a private message was taking an excessive amount of time. Analysis found that all of the users were being loaded at once in a page list of type Code-Pega-List. This led to errors indicating the Page List property had more elements than the specified threshold, but pagination could not be added as the activity and Report Definition are final. To improve performance, this process has been modified to use a data page at the requestor level instead.
SR-D43272 · Issue 516439
Local user lookup modifed to use requestor level data page to improve performance
Resolved in Pega Version 8.3.2
In a system with many users (over 40k), attempting to search for a user to send a private message was taking an excessive amount of time. Analysis found that all of the users were being loaded at once in a page list of type Code-Pega-List. This led to errors indicating the Page List property had more elements than the specified threshold, but pagination could not be added as the activity and RD are final. To improve performance, this process has been modified to use a data page at the requestor level instead.
INC-215343 · Issue 711087
Security updates
Resolved in Pega Version 8.7.2
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-215343 · Issue 711143
Security updates
Resolved in Pega Version 8.8
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
SR-D90452 · Issue 551808
SSOPreAuthenticationActivity runs until success
Resolved in Pega Version 8.3.3
When a user visited a public-facing application via a Single Sign-On (SSO) URL that redirected to SAML IDP for authentication, the first time the URL was hit the system correctly executed pySSOPreAuthenticationActivity as part of pre-authentication to determine if authentication is possible/allowed. If the pySSOPreAuthenticationActivity set the pyAuthenticationPolicyResult to 'false', authentication was not allowed: the user was not redirected to the IDP and an error message was shown. However, if the same URL is hit again after that rejection without any changes, the user was redirected to the IDP for authentication because the preauthentication activity was not run again. This has been resolved by updating the system to continue to call the pre-authentication activity for the SSO URL until a success status is returned by the activity.
INC-151253 · Issue 607624
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.5.2
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.