INC-225840 · Issue 730754
Key ID made optional for JWT
Resolved in Pega Version 8.8
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-226479 · Issue 727465
Cross-site scripting filters added to redirect parameters
Resolved in Pega Version 8.8
Cross-site scripting protections have been added to Param.redirect to improve security.
INC-227736 · Issue 744475
Added polling lock to handle CDK Key rotation issues
Resolved in Pega Version 8.8
An error was generated when attempting to open existing encrypted contacts created in the Sales Automation application. This was traced to multiple nodes generating CDKs simultaneously, leading to a race condition, and has been resolved by refactoring the CDK generation code so it will acquire a lock when polling the database to avoid a race condition.
INC-227769 · Issue 731726
ReloadHarness security updated
Resolved in Pega Version 8.8
Security handling has been updated for ReloadHarness to ensure proper CSRF validation.
INC-228169 · Issue 729003
Login error messages updated
Resolved in Pega Version 8.8
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
INC-232970 · Issue 742011
Security update for MashUp
Resolved in Pega Version 8.8
Cross site scripting protections have been updated for the LoadMashupPage activity and RedirectTo parameter.
SR-119800 · Issue 177840
Security policy transaction mismatch error resolved
Resolved in Pega Version 7.1.8
If security policies are enabled, logging out and then logging in prompts a password change. If the password was changed and then the page was refreshed, a transaction mismatch error occurred. This was caused by incomplete clearing of the password setting transaction, and the system has been updated to properly switch transactions.
SR-123636 · Issue 184161
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-123636 · Issue 181701
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-124473 · Issue 186179
Added handling for unauthenticated asynchronous SOAP service
Resolved in Pega Version 7.1.8
After implementing changes to work around an error with SOAP authentication, the unauthenticated asynchronous SOAP service generated an error and failed to complete. This was due to the changes to the authentication process omitting the asynchronous mode case when a SOAP service that intended to not use authentication ends up calling a sub-activity that requires authentication. This use case is now covered.