INC-207693 · Issue 700541
Documentation updated for large attachments permissions error
Resolved in Pega Version 8.6.4
When using the Microsoft Graph API to send an email which contained an individual attachment 3MB or larger, the error "The token contains no permissions, or permissions can not be understood" was generated. Because the Microsoft Graph API has an attachment size limitation, the Microsoft Graph API send email flow will switch to using the Office 365 Exchange Online API when that size limit is hit. The documentation for this has been updated to explicitly reflect that Office 365 Exchange Online API permissions must be enabled in the Azure Active directory app settings.
INC-164432 · Issue 696294
Global obfuscation key initialized on first requestor call
Resolved in Pega Version 8.6.4
When using URLEncryption = true and SubmitObfuscatedURL = optional, attempting to export an Excel spreadsheet resulted in the error "Invalid character found in the request target". This was traced to the variable pega.d.globalobfuscateKey having a null value which was then converted to a byte array and decoded, generating improper characters in the URL. After a browser refresh, the correct value was set in pega.d.globalobfuscateKey and the export worked as expected. To resolve this, an update has been made to initialize the key on the very first call in PRRequestorImpl when the global obfuscation key is determined to be NULL instead of initializing the global obfuscation key by on-demand basis from HTTPAPI.
INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-201109 · Issue 701941
Servlet management documentation updated
Resolved in Pega Version 8.8
The documentation for Servlet management has been updated to clarify that before you can move URL patterns using the Servlet Management landing page, you must remove the web.xml file from your Pega Cloud environment. If the * URL pattern is still available in the web.xml file, it remains in read only mode and cannot be edited using the indicated steps. More information is available at https://docs.pega.com/security/87/moving-url-pattern-between-servlets
INC-205525 · Issue 699064
Documentation updated for Samesite settings
Resolved in Pega Version 8.8
The documentation for enabling and configuring cross-site scripting settings has been updated to clarify the definitions of the Samesite settings Lax, Strict and None: https://docs.pega.com/security/88/enabling-and-configuring-cross-site-request-forgery-settings None – If you select this option, Pega Platform offers no protection. The browser attaches the cookies in all cross-site browsing contexts. Lax – If you select this option, Pega Platform provides a reasonable balance between security and usability for websites that want to maintain logged-in sessions after users arrive from an external link. The browser does not send cookies in requests from non-originating sites. Strict – If you select this option, Pega Platform prevents the browser
INC-209744 · Issue 703275
Documentation for job schedulers updated
Resolved in Pega Version 8.8
The documentation for how job schedulers use System Runtime Context (SRC) has been updated to specify that at run time, any application-specific metadata such as work ID prefixes, in any of the applications in the SRC stack, is not available to the job activity.
INC-214974 · Issue 721179
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.8
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/88/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."