INC-225503 · Issue 737019
DSS added to configure outflow signature digest method algorithm
Resolved in Pega Version 8.8
After update, a change was seen in the digest method of a SOAP response. The site was configured to use WS-Security Profile SHA-1 as the digest algorithm, but the warning from the testing tool WCF (Windows Communication Foundation) indicated this was not being followed with the message "the algorithm 'xmlenc#sha256' is not accepted for operation 'Digest'". For better compatibility, the DSS outflowSignatureDigestAlgorithm has been added to support configuring the outflow signature digest method algorithm.
INC-225840 · Issue 730754
Key ID made optional for JWT
Resolved in Pega Version 8.8
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-226479 · Issue 727465
Cross-site scripting filters added to redirect parameters
Resolved in Pega Version 8.8
Cross-site scripting protections have been added to Param.redirect to improve security.
INC-227736 · Issue 744475
Added polling lock to handle CDK Key rotation issues
Resolved in Pega Version 8.8
An error was generated when attempting to open existing encrypted contacts created in the Sales Automation application. This was traced to multiple nodes generating CDKs simultaneously, leading to a race condition, and has been resolved by refactoring the CDK generation code so it will acquire a lock when polling the database to avoid a race condition.
INC-227769 · Issue 731726
ReloadHarness security updated
Resolved in Pega Version 8.8
Security handling has been updated for ReloadHarness to ensure proper CSRF validation.
INC-228169 · Issue 729003
Login error messages updated
Resolved in Pega Version 8.8
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
INC-232970 · Issue 742011
Security update for MashUp
Resolved in Pega Version 8.8
Cross site scripting protections have been updated for the LoadMashupPage activity and RedirectTo parameter.
SR-119800 · Issue 177840
Security policy transaction mismatch error resolved
Resolved in Pega Version 7.1.8
If security policies are enabled, logging out and then logging in prompts a password change. If the password was changed and then the page was refreshed, a transaction mismatch error occurred. This was caused by incomplete clearing of the password setting transaction, and the system has been updated to properly switch transactions.
SR-123636 · Issue 184161
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-123636 · Issue 181701
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.