Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

Please update your bookmarks. This site will be discontinued in Dec 2024.

Pega Platform Resolved Issues for 8.1 and newer are now available on the Support Center.

SR-B86311 · Issue 341403

Enhanced security by masking requestor-ID

Resolved in Pega Version 7.4

In order to improve session security against potential hijacking of a session, the Pega-RULES cookie will be masked in various locations, such as log files, SMA, tracer, exceptions, etc. by exposing only the first character (as it depicts the type of requestor) and the last four characters.

SR-B88923 · Issue 337768

Utility added to check for operators using default passwords

Resolved in Pega Version 7.4

To enhance security and ease of administration, a utility has been added that can disable default operators that ship with Pega Platform and Strategic Apps if the password hasn't been changed. This utility can be called as a service by PegaCloud. Please see the release notes for more information.

SR-B89114 · Issue 339165

XSS filtering added to ImportSpecExcel

Resolved in Pega Version 7.4

The control 'pzImportSpecExcel' has been modified to secure the property pyImportFileName with XSS filtering.

SR-B91752 · Issue 340794

TrackSecurityChanges passes correct values for page groups

Resolved in Pega Version 7.4

The pzTrackSecurityChanges Utility is called from the TracKSecurityChangesLogic activity whenever the value changes for an audited property. For this function, current value and previous value are passed from the clipboard. However, in cases of page groups, the parent property was being passed instead of the current and previous values. This has been fixed.

SR-B93715 · Issue 344806

Apache Groovy updated

Resolved in Pega Version 7.4

Apache Groovy has been updated to 2.4.4 for improved security.

SR-B93934 · Issue 340753

Sensitive handling added for validation of encrypted SOAP

Resolved in Pega Version 7.4

The WSS4J library was not calculating the processing actions validation on encrypted SOAP messages correctly after the message's security requirements were already processed by the library. This means that the verification of signature or decryption or any other actions worked and the necessary security processors were engaged correctly, however the check was failing during the last leg of the processing actions validation. Since the action matching is of less significance, the validation for actions will be relaxed in situations where the ws-security config is signature and encryption and/or timestamp.

SR-B95798 · Issue 344526

XSS filtering added to GetTour

Resolved in Pega Version 7.4

Cross scripting filtering has been added to pxGetTour java step 7, which prepares JSON.

SR-C1107 · Issue 351146

Oauth tokens obtained on login timeout

Resolved in Pega Version 7.4

When the client idle time expires, the user must perform a login in order to get back into the application. If OAuth is being used for authentication there is no need to re-send the credentials to NetIQ if neither the refresh token nor access token are expired yet, but the hybrid client was repeating the ROPC flow and obtaining a new refresh token each time the user logged in after the client idle timeout expires. With this change, the tokens are obtained on login timeout. There will be a further update targeted for the next release to show the lock screen and not log the user out.

SR-C1107 · Issue 351606

Oauth tokens obtained on login timeout

Resolved in Pega Version 7.4

When the client idle time expires, the user must perform a login in order to get back into the application. If OAuth is being used for authentication there is no need to re-send the credentials to NetIQ if neither the refresh token nor access token are expired yet, but the hybrid client was repeating the ROPC flow and obtaining a new refresh token each time the user logged in after the client idle timeout expires. With this change, the tokens are obtained on login timeout. There will be a further update targeted for the next release to show the lock screen and not log the user out.

SR-C147 · Issue 343884

Security improvements for generateCellContent RUF

Resolved in Pega Version 7.4

Code changes have been made to improve security for getting the parameter value in the generateCellContent RUF.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us