SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A23603 · Issue 258204
ADP alert messages updated for security
Resolved in Pega Version 7.2.2
To improve security, ADP alert messages have been changed to include only data page name rather than the cache key used to identify the data page in the async service manager cache.
SR-A91743 · Issue 258673
Security update for pxInitials control
Resolved in Pega Version 7.2.2
XSS (Cross Scripting Filter) has been added for potentially exploitable parameters in the pxInitials control.
INC-128342 · Issue 594185
Improved cleanup for adm_response_meta_info
Resolved in Pega Version 8.6
The adm_commitlog.adm_response_meta_info column family was growing, leading to gradual increase in CPU utilization on the Adaptive Decision Management (ADM) nodes over time. Investigation showed that the compaction on the adm_response_meta_info table was not being triggered by the ADM service, and the compaction did not remove rows that belonged to models that had been deleted. To resolve this, compaction of the adm_response_meta_info table has been moved from the ADM client nodes to the ADM service nodes, which will correctly trigger the compaction on a predefined schedule. The compaction logic has also been refactored to remove rows that belong to models that have been deleted.
INC-136634 · Issue 591679
Thread contention resolved for InteractionHistoryQuery
Resolved in Pega Version 8.6
High thread contention was observed while running Inbound load tests. This was traced to pzLoadInteractionHistory invoking a generated strategy to retrieve ihFields from InteractionHistoryQuery using the getUsedInteractionHistoryFields() method: because this method is synchronized, it caused a bottleneck. To resolve this, the synchronized methods have been replaced with the appropriate data structures.
INC-136969 · Issue 585547
Section and Paragraph rule types added to Revision Manager
Resolved in Pega Version 8.6
An enhancement has been made to add support for section and paragraph rule types in revision management. With this change, the sections and paragraph rule types can be added to overlay and can be added to change requests and modified.
INC-138037 · Issue 586595
Strategy handling updated for very large systems using IH summary
Resolved in Pega Version 8.6
When a Strategy in a Real-time dataflow used IH Summary on a system with more than 5000 groups for one eventKey, the message "Error retrieving aggregates from Cassandra KVS" intermittently appeared. Investigation showed that if the number of result rows was greater than the FETCH_SIZE (set to 5000), it meant another read to Cassandra was required and an exception was generated. To resolve this, updates have been made so that instead of returning maps, the system will return iterators and change them to map on the calling thread.
INC-138103 · Issue 585640
Enhancement added for node heartbeat recovery process
Resolved in Pega Version 8.6
Nodes were not showing up in the admin portal even though they were up and running and could be seen in the pr_sys_statusnodes table. The exception "An exception was encountered while invoking the cluster membership listener callback" was seen. All nodes became visible again after multiple restarts. The root cause was traced back to a temporary database connectivity problem. The database itself was fine according to database monitoring reports, but a network problem, a slow database query, or another issue prevented Pega from establishing a connection for more than a minute. An enhancement has been made to resolve this: if a node becomes unhealthy due to the service registry missing due to a failed heartbeat, the heartbeat will try to recover after 60 seconds and keep trying every 30 seconds until it succeeds.