INC-200303 · Issue 692846
OIDC authentication service token reload updated
Resolved in Pega Version 8.6.3
The exception “PRSecurityException: Invalid State Parameter received" was generated along with "Unable to execute OIDC flow : Caught exception while parsing the id token”. The issue was identified in the Keystore cache refresh strategy for the 'reload once per interaction' option. While the Refresh interval was one minute for reload once per interaction, if there was a login request/keystore request in that one minute then the refresh interval was pushed to one minute again from that timestamp. The system was also maintaining the cache refresh interval as one minute. That meant if there were continuous requests, then the refresh interval was pushed to one minute for each request. As a result, the Refresh interval was repeatedly extended until the exception occurred. To resolve this, the Refresh token will happen if there are no requests for a period of one minute, and the cache refresh interval for "Reload once per iteration" has been removed completely.
INC-200877 · Issue 693824
Functions supported in Authorization Service
Resolved in Pega Version 8.6.3
An enhancement has been added to support operator page context evaluation with a Rule-Utility-Function during property mapping evaluation.
INC-201573 · Issue 694750
Client secret made optional for JWT Bearer Grant type
Resolved in Pega Version 8.6.3
After update, trying to connect a REST API using OpenAM as the provider for OAuth and using JWT Bearer as Grant type was resulting in an error indicating the request was not reaching the destination. This was traced to the client secret being designated a mandatory field when it should be optional in this case as the required key store was already configured with a JWT token profile. To resolve this, an update has been made which will make the client secret optional when the authentication scheme is JWT Bearer. In addition, the blank value caused a null pointer error when the client secret was not passed. This has been handled with a check.
INC-204045 · Issue 694323
Signature map updated for fetching keys
Resolved in Pega Version 8.6.3
MFA login worked with SAML 2.0 when the certificate was disabled but failed when the certificate was enabled in Auth Service. The error " "Signature algorithm is null" appeared. This has been resolved by updating the signature map to ignore case sensitivity while fetching keys.
INC-204897 · Issue 696148
Log4j file security vulnerability issue addressed
Resolved in Pega Version 8.6.3
A zero-day vulnerability was identified in the Apache Log4j logging software which could potentially allow malicious actors to take control of organizational networks. Pega has immediately and thoroughly addressed this issue. More information can be found at https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability .
INC-201109 · Issue 701941
Servlet management documentation updated
Resolved in Pega Version 8.8
The documentation for Servlet management has been updated to clarify that before you can move URL patterns using the Servlet Management landing page, you must remove the web.xml file from your Pega Cloud environment. If the * URL pattern is still available in the web.xml file, it remains in read only mode and cannot be edited using the indicated steps. More information is available at https://docs.pega.com/security/87/moving-url-pattern-between-servlets
INC-205525 · Issue 699064
Documentation updated for Samesite settings
Resolved in Pega Version 8.8
The documentation for enabling and configuring cross-site scripting settings has been updated to clarify the definitions of the Samesite settings Lax, Strict and None: https://docs.pega.com/security/88/enabling-and-configuring-cross-site-request-forgery-settings None – If you select this option, Pega Platform offers no protection. The browser attaches the cookies in all cross-site browsing contexts. Lax – If you select this option, Pega Platform provides a reasonable balance between security and usability for websites that want to maintain logged-in sessions after users arrive from an external link. The browser does not send cookies in requests from non-originating sites. Strict – If you select this option, Pega Platform prevents the browser
INC-209744 · Issue 703275
Documentation for job schedulers updated
Resolved in Pega Version 8.8
The documentation for how job schedulers use System Runtime Context (SRC) has been updated to specify that at run time, any application-specific metadata such as work ID prefixes, in any of the applications in the SRC stack, is not available to the job activity.
INC-214974 · Issue 721179
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.8
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/88/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."
INC-217942 · Issue 716932
BIX article updated for XML extract rules
Resolved in Pega Version 8.8
The BIX article "Creating and running an Extract rule" has been updated to reflect that the "Get all properties" option fetches basic properties only, and that properties must be selected manually for non-BLOB tables.