INC-137873 · Issue 596157
Java injection security updated
Resolved in Pega Version 8.6
Protections have been updated against a Java injection.
INC-137874 · Issue 599128
Cross site scripting update for Dev Studio
Resolved in Pega Version 8.6
Cross Site Scripting (XSS) protections have been added to Developer Studio.
INC-139084 · Issue 626647
Improvements for Report Definition OperatorID filtering
Resolved in Pega Version 8.6
Report Definition filters were not working as expected when data from the OperatorID page was used and authentication was enabled. This was traced to the OperatorID page not being correctly populated. To resolve this, the authentication logic has been modified to always create the OperatorID page at requestor level, and the HTTP API layer has been updated to remove the thread level OperatorID page if exists. In addition, an enhancement has been added for improved debugging on log appenders provided by log4j which allows log filtering based on the requestor and thread for a given appender at a specific log level.
INC-139867 · Issue 588758
Additional security for encrypted passwords
Resolved in Pega Version 8.6
Handling and cleanup has been updated for encrypted values to enhance security.
INC-140101 · Issue 597635
System will attempt to decrypt data ending in "+"
Resolved in Pega Version 8.6
Encrypting and decrypting one specific email address was not working properly when showing on the UI. It was possible to force a decryption using decryptproperty, but Pega generated an error. This was due to the actual encrypted value ending with '+', which conflicted with a system check that skips decryption if the encrypted property value ends with + . To resolve this, the system will attempt to decrypt the property even when encryptedText ends with + .
INC-140111 · Issue 594377
CSRF token handling added to Bulk Processing
Resolved in Pega Version 8.6
CSRF token handling added to Bulk ProcessingOn click of submit button from the bulk transfer screen, the pzbulkprocess harness was loaded and the portal was automatically logged off. Investigation showed that when CSRF was enabled, loading pzBulkProcess failed with a 403 error that resulted in logging off the current session due to a missing fingerprint token. This has been resolved by adding both CSRF token and fingerprint generation logic to pzBulkProcessingList.
INC-140224 · Issue 604004
Corrected SAML SSO error
Resolved in Pega Version 8.6
After opening a case from the Pega-FCM portal or after logging in from SSO, closing the Pega window and opening it again resulted in the error "Unable to process the SAML WebSSO request : Violation of PRIMARY KEY constraint %27pr_data_saml_requestor_PK%27. Cannot insert duplicate key in object". This was a missed use case that happens only under the old SAML configuration, and has been resolved by removing a when condition that checks for stepstatus fail for the pySAMLwebSSOAuthentication activity.
INC-141595 · Issue 602714
CSRF and Browser fingerprint tokens added for testing custom scripts
Resolved in Pega Version 8.6
After upgrade, the test window appeared blank when attempting to test Decision Table rules. This was traced to there not being CSRF token and Browser fingerprint handling in the custom script used to show a prompt screen to the user. Because the CSRF token validation was missing, the request failed. To resolve this, CSRF and Browser fingerprint tokens have been added as hidden fields.
INC-141940 · Issue 601541
Revoke Access Token check removed from OAuth Client Registration
Resolved in Pega Version 8.6
When client credentials were implemented, the OAuth 2.0 Client Registration form was designed such that once the instance was created and a token issued, the access tokens were deleted on save. Process changes now indicate that it should be possible to save the form because it may only have History Description/Usage changes made to it and Revoke Token and Regenerate Secret buttons are already available. To address this, the Revoke Access Token check has been removed from the validate activity of Client Registration.
INC-142145 · Issue 594917
Resolved 403 error for refresh of incognito window with CSRF
Resolved in Pega Version 8.6
Opening the simpleurl in a fresh incognito window opened the work object in a standard thread, but on refresh of the window a 403 error appeared and the screen went blank. This was a missed use case for the recently-added CSRF validation for non-ajax get requests which are redirected post requests. The CSRF token was being validated if pzPostData was in the request, but once the original request was complete the request map was cleared and the pzCtkn value in the request map was empty, resulting in the 403 error. To resolve this, the system will skip CSRF validation for a refresh scenario where the post data request map is empty after the original request, and validation has been added for the blank pyActivity in the request.