INC-138490 · Issue 591016
Handling added for samesite cookies with httpOnly
Resolved in Pega Version 8.1.9
After enabling samesite cookies on Google Chrome to support Mashup login, intermittent issues were seen with a non-mashup login where entering the OperatorID and password only resulted in a refresh of the login screen. This was traced to a scenario where an httponly cookie attribute was present along with samesite cookie attributes, and has been resolved by adding handling for a condition where samesite is set and httpOnly is enabled.
SR-D95148 · Issue 557485
Port validation updated for redirect URI
Resolved in Pega Version 8.1.9
When an offline app for windows client was generated, trying to login via SSO resulted in the error "invalid redirect_uri". This was traced to the system validating the whole loopback redirection URL, e.g. "http://127.0.0.1:1234/redirection", including the port number. To enhance flexibility, an update has been made so that the port number will not be validated, allowing the client to establish it based on availability at the moment of the request to the authorization service. NOTE: As a best practice, a loopback URL should not be configured as a redirect URI. If a loopback URL is configured, then at run time the port number will not be validated, and the client application can use any available port on the system including ports that may not be intended for use.
SR-D31734 · Issue 515655
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.3.2
An cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D33214 · Issue 514022
Added safeURL encoding for Japanese characters in attached filenames
Resolved in Pega Version 8.3.2
It was not possible to preview a Japanese-titled PDF file attached on a work object. Investigation showed that in case of Japanese characters, file names were not being correctly encoded during the fetch request when JBoss was used. The retrieval worked correctly under Tomcat. In order to ensure consistent encoding, the safeURL API will be used for constructing the URL and for the activities DisplayAttachFile and pzDownloadFromRepository which add the ContentDisposition header.
SR-D67321 · Issue 532627
ShowXML activity deprecated
Resolved in Pega Version 8.3.2
The activity @baseclass.ShowXML has been blocked for security reasons. If the functionality is needed, a a single line step of "Show-Applet-Data" may be used.
INC-164432 · Issue 696294
Global obfuscation key initialized on first requestor call
Resolved in Pega Version 8.6.4
When using URLEncryption = true and SubmitObfuscatedURL = optional, attempting to export an Excel spreadsheet resulted in the error "Invalid character found in the request target". This was traced to the variable pega.d.globalobfuscateKey having a null value which was then converted to a byte array and decoded, generating improper characters in the URL. After a browser refresh, the correct value was set in pega.d.globalobfuscateKey and the export worked as expected. To resolve this, an update has been made to initialize the key on the very first call in PRRequestorImpl when the global obfuscation key is determined to be NULL instead of initializing the global obfuscation key by on-demand basis from HTTPAPI.
INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.