SR-A80606 · Issue 254964
Data Import API updated to be case-sensitive
Resolved in Pega Version 7.2.2
When using a Data Import Shape for a Class Type which had a same named property identifier (but with a different case) as in the SR hierarchy, both the properties were considered valid and imported as SR properties. This caused issues in the strategy rule as the Set property components set the values for the incorrect instance and eventually led to strategy failures as the expected instance did not have a value set. This has been resolved by using a case-sensitive API to validate the source property against the target class.
SR-A24962 · Issue 250080
DataSet-Execute updated to correct time-to-live error
Resolved in Pega Version 7.2.2
When using the time to live option of a Decision Data Store dataset, the java generation for the DataSet-Execute method was causing java compilation errors. This was due to an inconsistency between the code generation for DataSet-Execute method in an activity and the settings provided. To correct this, the algorithm used to generate the code for DataSet-Execute method has been updated to include the time to live setting and to generate correct and compilable code.
SR-A24962 · Issue 248678
DataSet-Execute updated to correct time-to-live error
Resolved in Pega Version 7.2.2
When using the time to live option of a Decision Data Store dataset, the java generation for the DataSet-Execute method was causing java compilation errors. This was due to an inconsistency between the code generation for DataSet-Execute method in an activity and the settings provided. To correct this, the algorithm used to generate the code for DataSet-Execute method has been updated to include the time to live setting and to generate correct and compilable code.
SR-A80784 · Issue 254197
Enhancement for Facebook connector retrieval
Resolved in Pega Version 7.2.2
Whenever the Facebook connector was restarted, historical posts on the monitored page were being fetched and duplicate documents were getting harvested into the DB. To resolve this, a new search parameter has been added for the Facebook connector that will receive a date as parameter for how many period/days of historical data to fetch.
SR-B6425 · Issue 275629
Scrum Board chicklet error resolved
Resolved in Pega Version 7.2.2
After collapsing and expanding a user story chicklet in the Scrum Board, adding a new note to the user story would cause the user story chicklet to disappear. This was a rendering issue due to an error in the type property syncing with the level property, and has been fixed.
SR-A91802 · Issue 260001
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A75956 · Issue 250547
D_OfflineWorkIDs DP performance improvements
Resolved in Pega Version 7.2.2
The logic of D_OfflineWorkIDs DP has been updated to improve performance for the SA PROD App.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.