INC-168914 · Issue 659658
Updates added against Cross-site Scripting
Resolved in Pega Version 8.4.5
Cross-site Scripting (XSS) protections have been updated for the UI.
INC-169203 · Issue 646099
Robotics Desktop Automation correctly runs on subsequent tabs
Resolved in Pega Version 8.4.5
When using Customer Service (CRM) to call Robotics Desktop Automation (RDA) from a data page, closing the first interaction tab after the RDA automation was completed resulted in the automation not being triggered for the second tab. If the first tab was not closed, the automation on the second worked as expected. Investigation showed the attachOnUnload was unregistering the client actions for all the open tabs and the attachOnLoad was not being called on reload. This has been resolved by updating attachOnLoad so it is now called with InvokeOnReload as 'true' to register client action for the tab in focus.
INC-174468 · Issue 650945
Delegated rules search considers localized text
Resolved in Pega Version 8.4.5
The search / filter box used to look for particular delegated rules on the configuration tab did not consider localization via field values, where the on screen name and description of the delegated rule was localized. This resulted in the search text being compared against the original text (.pyAdviceText and .pyDescription) used for the name and description at the time the rule was delegated, but not with the localized text that actually appeared on the screen. This has been resolved by updating the pzPopulateDelegations activity to filter by localized values of pyAdviceText and pyDescription.
INC-178070 · Issue 658424
Browser invocation allowed for UnlockOperator
Resolved in Pega Version 8.4.5
Attempting to unlock an operator who was locked out due to security policies was failing. This was an unintended side effect of security work performed earlier, and has been resolved by reenabling 'Allow invocation from browser ' for pzUnlockOperator. This activity requires an authentication check with privilege protection.
INC-150317 · Issue 625881
Certificate updates handled across nodes
Resolved in Pega Version 8.4.5
An SSL handshake exception was occurring when running a Connect-REST call automatically from the flow as a background process on a background processing node. The same Connect-REST worked fine when run manually. The exception detailed the issue as "SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers allowed for trust of the SSL certificate(s) provided by the remote server to which this client attempted a connection." This was traced to a pulse change scenario where the reloading of the certificates was not happening on all the nodes after adding a new certificate or deleting a certificate. This has ben resolved by adding the DATA-ADMIN-SECURITY-CERTIFICATE class into the UpdatesCacheUtils.java class.
INC-155276 · Issue 622815
Null check added for step page
Resolved in Pega Version 8.4.5
After creating and adding new Access Roles and application 'Access When' to the privileges instead of Production level, during run time the error "runtime.IndeterminateConditionalException: Trying to evaluate Rule-Access-When conditions L:IsProdAccess when there is no page to evaluate them against" appeared for the specific privileges. This was traced to a missed use case where the system falls back to the step page if the page for evaluating the 'when' condition is null, which did not account for scenarios where the step page can be null. To resolve this, a null check has been added which will fetch the primary page if the step page for the access 'when' condition is null.
INC-155813 · Issue 629504
SAML SSO redirects to correct URL when application and authentication aliases match
Resolved in Pega Version 8.4.5
Whenever there was a match in the authentication service alias and the application alias, the application alias was replaced with empty after logoff instead of making the authentication service alias empty. For example, given an authentication service with the alias XYZ ("login with XYZ" alias option) and an application name XYZMyOps, the application alias was being changed from XYZMyOps to appMyOps after logoff. As a result, a blue screen error resulted when clicking on button "login with XYZ" again because it redirected to appMyOps, which didn't exist. This has been resolved by removing authservicealias and modifying AuthServiceAliasHelper.adjustPathIfAuthServiceAliasPresent() to change the method for calculating the pathinfo to string tokenizing.
INC-156647 · Issue 626292
Improved disconnected requestor cleanup for FieldService
Resolved in Pega Version 8.4.5
A large number of requestors from FieldService with the status as 'Disconnected' were accumulating and causing performance issues. This was traced to the requestors not getting passivated due to users not logging out and new requestors being created for the same users next time, and was caused by the value of the DSS Initialization/PersistRequestor being set as "OnTimeout". When the DSS prconfig/timeout/browser/default is not configured, the default browser requestor timeout is 60 minutes. In this scenario, requestors were not passivating as the requestor passivation timeout was set to the refresh token lifetime for mobile users, which was very large and overwrote the DSS value. This has been resolved by removing the code which set the passivation timeout to the OAuth2 refresh token lifetime.
INC-158720 · Issue 633990
Handling added for obfuscation stale requestor error
Resolved in Pega Version 8.4.5
When an environment was configured with URL encryption (initialization/UREncryption) set to true and the Authentication Service OPENID had a POST authentication activity which set pyAuthenticationPolicyResult to false, a blue screen error was seen with the exception "Obfuscation cannot be performed with a null or blank key". This was traced to the system trying to fetch the secureFeaturesForURLTampering property from staleRequestorrequestor object when the object had already been destroyed. This has been resolved by adding additional handling for the staleRequestorError.
INC-161260 · Issue 634050
Enhanced logging for CBAC policies
Resolved in Pega Version 8.4.5
Additional logs have been added to assist in easier debugging of any configuration issues with CBAC policies.