INC-137516 · Issue 592455
Invalid redirect URI logging changed from error to warn
Resolved in Pega Version 8.2.8
The Pega Mobile client was reporting an Invalid redirect URI error triggered by the OOTB AuthorizationService. This warning is not an error, and the log method has been changed form error to warn.
INC-137709 · Issue 584289
New security role added to restrict access to development-specific classes
Resolved in Pega Version 8.2.8
A new security role and related RAROs have been implemented to allow better security for end users on non-BAC systems. This restricts access to Rules and execution of activities on classes that are development-specific.
INC-144597 · Issue 598306
Updated handling for MT query of pr_data_admin table
Resolved in Pega Version 8.2.8
When using a multi-tenant environment with Oracle, as the number of users in the environment increased, the number of queries of the pr_data_admin table "WHERE pyEnableAuthService" increased exponentially and causes system slowness. This was traced to missed handling for the @ character in the authentication service cache while requesting, and has been resolved by updating authservicecache.java.
INC-145694 · Issue 601295
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.2.8
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-142648 · Issue 594805
PRTraceServlet security check added
Resolved in Pega Version 8.2.8
Modifying the Pega application URL with PRTraceServlet displayed multiple user credentials and session information. This has been corrected with the addition of a privilege check in GetConnectionListCommand before allowing the connections list to be fetched.
INC-207693 · Issue 700541
Documentation updated for large attachments permissions error
Resolved in Pega Version 8.6.4
When using the Microsoft Graph API to send an email which contained an individual attachment 3MB or larger, the error "The token contains no permissions, or permissions can not be understood" was generated. Because the Microsoft Graph API has an attachment size limitation, the Microsoft Graph API send email flow will switch to using the Office 365 Exchange Online API when that size limit is hit. The documentation for this has been updated to explicitly reflect that Office 365 Exchange Online API permissions must be enabled in the Azure Active directory app settings.
INC-164432 · Issue 696294
Global obfuscation key initialized on first requestor call
Resolved in Pega Version 8.6.4
When using URLEncryption = true and SubmitObfuscatedURL = optional, attempting to export an Excel spreadsheet resulted in the error "Invalid character found in the request target". This was traced to the variable pega.d.globalobfuscateKey having a null value which was then converted to a byte array and decoded, generating improper characters in the URL. After a browser refresh, the correct value was set in pega.d.globalobfuscateKey and the export worked as expected. To resolve this, an update has been made to initialize the key on the very first call in PRRequestorImpl when the global obfuscation key is determined to be NULL instead of initializing the global obfuscation key by on-demand basis from HTTPAPI.
INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.