SR-131072 · Issue 203709
Requestor token creation added for PRExternal authentication
Resolved in Pega Version 7.1.9
When using a PRExternal authentication scheme, the csrfsession requestor token was not created. This caused a heavy volume of INFO logging messages in production due to the null token. This authentication path has now been added and the token will be correctly created for use.
SR-131691 · Issue 202207
Improved performance for incorrect password handling
Resolved in Pega Version 7.1.9
When the operator entered the wrong password in the login screen, numerous "Stream Overwritten" alerts appeared the Alert log. There was no workflow problem involved, but the logging indicated that there was an additional unnecessary call being made to Stream Web-Login, and that unneeded call has been removed to improve system performance and remove the error being logged.
SR-A4056 · Issue 211550
Corrected validation error for Extract rule field length
Resolved in Pega Version 7.1.9
A validation error noting that the field length of the table was limited to 30 characters was occurring when trying to check in an Extract rule even if the field value had been shortened. While checking in the extract rule, a block of code in the Rule-Utility-Function validateTreeProperties was recomputing the pagelist's table name instead of using the one provided by the user. The Rule-Utility-Function validateTreeProperties function has been modified to fix the issue.
SR-A87291 · Issue 255631
JDBC password encryption check logic updated
Resolved in Pega Version 7.2.2
When using a Database instance with a JDBC connection URL, the specified password is encrypted. An issue was occurring where multiple saves of the instance caused the encrypted password to be encrypted again, causing the agent to lose access to the DB due to an authentication failure. The problem was traced to a logic flaw in the method used to check whether the password was already encrypted, and has been fixed.
SR-A91802 · Issue 260001
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.