INC-194287 · Issue 681065
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.7
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
INC-196414 · Issue 684238
OAuth token refreshed when revoked on source
Resolved in Pega Version 8.7
When an OAuth token was used to authorize the APIs in the system, revoking the token at the source, i.e. from the Service side, did not automatically refresh the token and a logoff/logon was required before a fresh token was generated. This has been resolved by adding an update to explicitly purge revoked tokens.
INC-196431 · Issue 684886
Refresh assignment checks updated
Resolved in Pega Version 8.7
Additional privilege checks have been added to refresh assignment.
INC-199303 · Issue 690629
Guided Tour working from Actions menu
Resolved in Pega Version 8.7
After updating from Pega 8.4 to Pega 8.5, "Manage a Guided Tour" was no longer working under a local action when called from the Actions menu on a work object. An unspecified error message appeared in the tracer. Investigation showed there was a null pointer error caused by the menu being invoked on an invalid page, and this was traced to updated authentication requirements: registration at the portal is not reliable as it is thread-scoped and run only once. The thread name is not guaranteed to stay the same so subsequent invocations of the tour activities failed. This has been resolved by modifying the call registration function to handle the security issues related to the generation of the menu path.
INC-200299 · Issue 689561
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.7
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after upgrade new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.
INC-204897 · Issue 695409
Log4j file security vulnerability issue addressed
Resolved in Pega Version 8.7
A zero-day vulnerability was identified in the Apache Log4j logging software which could potentially allow malicious actors to take control of organizational networks. Pega has immediately and thoroughly addressed this issue. More information can be found at https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability .
SR-A12775 · Issue 236646
ChangePassword screen now allows custom messages
Resolved in Pega Version 7.2.1
The pzChangePassword activity has been enhanced to allow customizing the change password screen
SR-A14879 · Issue 232530
Improved security for JSON stack
Resolved in Pega Version 7.2.1
To increase security, the response to invalid JSON input will display a generic InvalidStream message rather than the full class name and method name. The complete information will be available in the log.
SR-A15922 · Issue 231258
Support added for cleartext passwords in Snapstart
Resolved in Pega Version 7.2.1
When posting credentials from an external source, the code makes the assumption that the Password value is encoded and therefore it is decoded prior to being handed to the authentication activity in Pega. This is not always the case. If the Password value is passed as clear text the result in the activity is garbled. This creates problems when subsequent authentication is attempted to an external source. To support this handling, a new DASS 'authentication/Snapstart/pwddecode' has been added. When the setting is false, the password is not decoded in Snapstart cases and will necessitate a cleartext password.
SR-A16543 · Issue 235300
Resolved Interaction Portal unexpected close
Resolved in Pega Version 7.2.1
In Google Chrome, launching a secondary portal and encountering a Content Security Policy issue relating to an image caused the secondary portal to automatically close and the developer portal to be refreshed. This was an issue with a mismatch in the pyrequestor token, and has been corrected.