INC-173466 · Issue 651456
Operator security enhancements
Resolved in Pega Version 8.5.4
It was possible to enable an operator from the operator access landing page even when write access was denied in the data admin operator class. This has been corrected.
INC-159834 · Issue 632248
StackOverFlow logging improved
Resolved in Pega Version 8.5.4
Enhanced diagnostic logging information has been added to help find issues when StackOverFlow errors occur.
INC-161984 · Issue 638857
Web Tier busy threads released on timeout
Resolved in Pega Version 8.5.4
Tomcat Web Tier Busy Threads were not being correctly released, causing stability and performance problems that included health check pings not receiving a thread to service the request so the node was marked as bad, users were quiesced, and the node replaced. Investigation showed the 'put' on the blocking queue did not time out when the queue was full and waited indefinitely, keeping the thread blocked. To resolve this, the system will use 'offer' on the blocking queue instead of 'put' to force thread release on timeout. In addition, debug logs have been added to understand when the offer (or Put) does not succeed and the state of the queue that is causing this issue; the debug logs for class com.pega.pegarules.session.internal.serverpush.RoboticAutomationImpl should be enabled only if the thread busy issue is observed and for limited time window while actively debugging.
INC-164794 · Issue 637992
Apache Commons libraries updated
Resolved in Pega Version 8.5.4
Apache commons-codec has been updated to version 1.15 , and Apache commons-io has been updated to version 2.7.
INC-171587 · Issue 652187
Resolved Push Node Daily Information exception
Resolved in Pega Version 8.5.4
The "Push Nodes Info Daily" agent was generating an exception on each of the nodes. This has been resolved by enhancing the PegaAESRemote code to handle the exception and get the node info locally, then push it to the console when it is not able to get it via the cluster management API.
INC-173162 · Issue 650794
Certificate match will use Subject Distinguished Name
Resolved in Pega Version 8.5.4
Signature verification was failing due to the system not finding the matching root certificate for the chain. The root certificate was in the trust store, but the system found a different certificate first and that other certificate (an intermediate certificate) was not considered a valid certificate for validating the whole certificate chain. This was traced to filtering on the Issuer Distinguished Name (DN) instead of the Subject DN and was due to intermediate certificates potentially having the same Issuer as a root certificate (e.g. if that root certificate was used to create the intermediate certificate). To resolve this, an update has been made to check the Subject DN instead of Issuer DN.
INC-174298 · Issue 650258
Instance count logic updated
Resolved in Pega Version 8.5.4
A performance issue was seen during upgrade that resembled an upgrade hang. This was caused by a combination of incorrect logic in DDLGenerator.getInstanceCountForClass() around counting instances of 'core' classes and all of the site history-data- tables being mapped to the same table that had 1.4+ billion rows. This behavior has been addressed with more correct query logic while performing instance counts. In addition, instance count will be supressed during command line invocations (prpcUtils, platform upgrade).
INC-118838 · Issue 560694
OKTA receives parameters on logout
Resolved in Pega Version 8.4.2
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
INC-118927 · Issue 571492
Resolved OAuth2 mobile app loop
Resolved in Pega Version 8.4.2
When a Pega OAuth2 authorize endpoint was invoked and the redirect URI contained "app", a loop was created where the system attempted to fetch the app alias from the state parameter value and was redirected back to itself. This could sometimes result in inconsistent mobile app styling. Investigation showed that a certificate with keyword app that was picked for the redirect URI could have the key word assumed to be the app alias context, so a workaround was to remove the app keyword. To resolve the issue, the system has been updated to look for the app alias only in the state parameter rather than perform a string contains check on the entire query string.
INC-125095 · Issue 560831
SAML authreqcontext duplicate key exception logging changed to debug
Resolved in Pega Version 8.4.2
As part of work done to improve the performance of the pr_data_saml_authreqcontext table during the SAML flow, the duplicate key exception handing was creating a large number of unique constraint log messages while saving sessionInfo to the database during SAML authentication if ADFS was used because the ADFS provider session Info is always blank. This has been resolved by changing the log statement in the duplicate key exception handling to debug.