SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A23603 · Issue 258204
ADP alert messages updated for security
Resolved in Pega Version 7.2.2
To improve security, ADP alert messages have been changed to include only data page name rather than the cache key used to identify the data page in the async service manager cache.
SR-A91743 · Issue 258673
Security update for pxInitials control
Resolved in Pega Version 7.2.2
XSS (Cross Scripting Filter) has been added for potentially exploitable parameters in the pxInitials control.
INC-174661 · Issue 678823
Handling added for clearing node killed between assignment and processing
Resolved in Pega Version 8.6.3
An Offer flow was not resuming after it expired according to the wait shape. Investigation traced this to partitions which were assigned to a dead node in NEW state where they were not picked up by the dataflow. The problem was only encountered in the unusual situation when a dataflow node was killed in the brief period of time between the assignment and the processing, and has been resolved by adding an update which will clear unknown new assigned partitions for the batch run health task.
INC-179879 · Issue 664804
Localization added to DelegateDescription
Resolved in Pega Version 8.6.3
Localization was not working correctly for the description of a delegated rule due to pyDelegeteDescription being defined with a non-localized Property value. This has been resolved by localizing the property value for pyDelegeteDescription.
INC-183211 · Issue 667011
Compare-To-Empty-String support added to Analyzer
Resolved in Pega Version 8.6.3
An enhancement has been added to support a NotEquals decision function in the Analyzer.
INC-186437 · Issue 685013
Updated entity attachment extraction tokenizers
Resolved in Pega Version 8.6.3
After creating an entity extraction model, it was seen that one of the entities worked when there was a space after the semicolon but the detection was not working if there was no space. This has been resolved by updating the Tokenizers with extra examples to address tokenization when ":" is present between two words without any spaces.
INC-187267 · Issue 679369
Resolved error for custom relative dates
Resolved in Pega Version 8.6.3
An error was seen when parsing the [Date Property] [is before/after] [Last/Next x days] while using a custom amount of number of days in Customer Decision Hub (CDH). This was due to the system not supporting the [Last/Next x days] feature for SSA, but only detecting this during parsing for the prefixed values for Proposition Filters and not custom values. As the parser did not realize the construct referring to the relative date was not supported, it created an SSA that caused an exception during execution. This has been resolved.