SR-A94083 · Issue 266677
SaveCovered checks for stale Cover
Resolved in Pega Version 7.2.2
When resolving a Covered work object, a stale copy of the Cover was being saved which resulted in the opened Cover assignment becoming invalid. This was caused by the SaveCovered function not checking to see if pyWorkCover was stale or not before calling RecalculateAndSave. This has been resolved by adding steps in SaveCovered to check if pyWorkCover is stale and to open pyWorkCover if it is stale using Obj-Open-By-Handle.
SR-A97281 · Issue 263948
SaveCovered checks for stale Cover
Resolved in Pega Version 7.2.2
When resolving a Covered work object, a stale copy of the Cover was being saved which resulted in the opened Cover assignment becoming invalid. This was caused by the SaveCovered function not checking to see if pyWorkCover was stale or not before calling RecalculateAndSave. This has been resolved by adding steps in SaveCovered to check if pyWorkCover is stale and to open pyWorkCover if it is stale using Obj-Open-By-Handle.
SR-A99477 · Issue 266058
SaveCovered checks for stale Cover
Resolved in Pega Version 7.2.2
When resolving a Covered work object, a stale copy of the Cover was being saved which resulted in the opened Cover assignment becoming invalid. This was caused by the SaveCovered function not checking to see if pyWorkCover was stale or not before calling RecalculateAndSave. This has been resolved by adding steps in SaveCovered to check if pyWorkCover is stale and to open pyWorkCover if it is stale using Obj-Open-By-Handle.
SR-A96203 · Issue 270094
CreateCase rollback corrected
Resolved in Pega Version 7.2.2
While creating a sub-case and getting an error on any end-step of flow, Pega starts the rollback of the process, but was saving pxCoveredInsKeys in the Clipboard page of Case. This was a missing use case in AddCoveredWork to call RemoveFromCover if an error was thrown while creating a child case along with copying page pages from cover to primary, and has been corrected.
SR-A96203 · Issue 266909
CreateCase rollback corrected
Resolved in Pega Version 7.2.2
While creating a sub-case and getting an error on any end-step of flow, Pega starts the rollback of the process, but was saving pxCoveredInsKeys in the Clipboard page of Case. This was a missing use case in AddCoveredWork to call RemoveFromCover if an error was thrown while creating a child case along with copying page pages from cover to primary, and has been corrected.
SR-A91680 · Issue 259008
Resolved Null Pointer Error for resubmit of a corrected case with optimistic locking
Resolved in Pega Version 7.2.2
Work order case creation was throwing a null pointer exception in logs if optimistic locking was enabled on the case type and the case was resubmitted after correcting a validation error. This has been fixed with the addition of a null check for a clipboard page in use.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.