SR-113624 · Issue 167070
Enabling out-of-the-box Security Policies now redirects immediately
Resolved in Pega Version 7.1.7
When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.
SR-118880 · Issue 172588
Change Password redirect loop fixed
Resolved in Pega Version 7.1.7
When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.
INC-227878 · Issue 727855
UPDATE IMPACT FOR PEGA CALL
Resolved in Pega Version 8.7.3
Log4j-1.2.14.jar and Log4j-1.2.17.jar have been removed to address the security concerns with these versions, and logger jars have been upgraded to 12.7.2 version (from 12.7.1 version) to make Pega Call compatible. This change will impact Pega Call customer environments due to Avaya or Genesys, which are part of Pega Call, having an internal dependency on Log4j1.x version jars. As a result, the SDK logging for Avaya or Genesys will not be available in the 8.7.3 release unless the Log4j-1.x jar files are reimported locally.
INC-223851 · Issue 722731
Property encryption documentation updated
Resolved in Pega Version 8.7.3
Documentation on encryption has been updated to clarify that Property Encrypt policies can only be created in Work- Data- , and Index class descendents.
INC-173596 · Issue 673089
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.7.3
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-228169 · Issue 729187
Login error messages updated
Resolved in Pega Version 8.7.3
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
INC-201109 · Issue 701941
Servlet management documentation updated
Resolved in Pega Version 8.8
The documentation for Servlet management has been updated to clarify that before you can move URL patterns using the Servlet Management landing page, you must remove the web.xml file from your Pega Cloud environment. If the * URL pattern is still available in the web.xml file, it remains in read only mode and cannot be edited using the indicated steps. More information is available at https://docs.pega.com/security/87/moving-url-pattern-between-servlets
INC-205525 · Issue 699064
Documentation updated for Samesite settings
Resolved in Pega Version 8.8
The documentation for enabling and configuring cross-site scripting settings has been updated to clarify the definitions of the Samesite settings Lax, Strict and None: https://docs.pega.com/security/88/enabling-and-configuring-cross-site-request-forgery-settings None – If you select this option, Pega Platform offers no protection. The browser attaches the cookies in all cross-site browsing contexts. Lax – If you select this option, Pega Platform provides a reasonable balance between security and usability for websites that want to maintain logged-in sessions after users arrive from an external link. The browser does not send cookies in requests from non-originating sites. Strict – If you select this option, Pega Platform prevents the browser
INC-209744 · Issue 703275
Documentation for job schedulers updated
Resolved in Pega Version 8.8
The documentation for how job schedulers use System Runtime Context (SRC) has been updated to specify that at run time, any application-specific metadata such as work ID prefixes, in any of the applications in the SRC stack, is not available to the job activity.
INC-214974 · Issue 721179
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.8
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/88/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."