INC-175706 · Issue 659528
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.6.1
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
INC-175897 · Issue 655467
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.6.1
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after update new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.
INC-227878 · Issue 727855
UPDATE IMPACT FOR PEGA CALL
Resolved in Pega Version 8.7.3
Log4j-1.2.14.jar and Log4j-1.2.17.jar have been removed to address the security concerns with these versions, and logger jars have been upgraded to 12.7.2 version (from 12.7.1 version) to make Pega Call compatible. This change will impact Pega Call customer environments due to Avaya or Genesys, which are part of Pega Call, having an internal dependency on Log4j1.x version jars. As a result, the SDK logging for Avaya or Genesys will not be available in the 8.7.3 release unless the Log4j-1.x jar files are reimported locally.
INC-173596 · Issue 673089
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.7.3
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-228169 · Issue 729187
Login error messages updated
Resolved in Pega Version 8.7.3
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
SR-A102969 · Issue 273954
XSS security update for error.jsp
Resolved in Pega Version 7.3
The error.jsp file has been updated for better XSS security with WebSphere and Firefox.
SR-A96514 · Issue 275326
Updated encryption logic for URL obfuscation
Resolved in Pega Version 7.3
If URL obfuscation was enabled and the incoming URL had non-ASCII characters (or UNICODE) characters in it, the encryption process was failing due to the incorrect length of byte array formation in padding logic. This logic error has been corrected.
SR-A97323 · Issue 266550
XSS filtering added to pzDisplayModalDialog
Resolved in Pega Version 7.3
XSS filtering has been added to the pzDisplayModalDialog to improve security.
SR-B10697 · Issue 282917
XSS handling added for pyCategory in Rule-Obj-Listview.ListViewHeader
Resolved in Pega Version 7.3
Cross-site scripting handling has been added for the pyCategory parameter in ListViewHeader to improve security.
SR-B10697 · Issue 280753
XSS handling added for pyCategory in Rule-Obj-Listview.ListViewHeader
Resolved in Pega Version 7.3
Cross-site scripting handling has been added for the pyCategory parameter in ListViewHeader to improve security.