SR-113624 · Issue 167070
Enabling out-of-the-box Security Policies now redirects immediately
Resolved in Pega Version 7.1.7
When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.
SR-118880 · Issue 172588
Change Password redirect loop fixed
Resolved in Pega Version 7.1.7
When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.
INC-227878 · Issue 727855
UPDATE IMPACT FOR PEGA CALL
Resolved in Pega Version 8.7.3
Log4j-1.2.14.jar and Log4j-1.2.17.jar have been removed to address the security concerns with these versions, and logger jars have been upgraded to 12.7.2 version (from 12.7.1 version) to make Pega Call compatible. This change will impact Pega Call customer environments due to Avaya or Genesys, which are part of Pega Call, having an internal dependency on Log4j1.x version jars. As a result, the SDK logging for Avaya or Genesys will not be available in the 8.7.3 release unless the Log4j-1.x jar files are reimported locally.
INC-173596 · Issue 673089
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.7.3
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-228169 · Issue 729187
Login error messages updated
Resolved in Pega Version 8.7.3
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
INC-173596 · Issue 673104
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.8
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-188127 · Issue 678350
Updated cache key generation for ROPC
Resolved in Pega Version 8.8
After configuring outbound email functionality using MSGraph with OAuth 2.0, sending the emails failed consistently following passivation. Running "Test connectivity" in the Email Account data instance then seemed to restart the functionality and the automation "Create And Send Email" subsequently worked. This was traced to a missing username in the cache key generation for the Resource Owner Password Credentials (ROPC), which caused the same token to be fetched when attempting to dynamically generate different usernames, and has been resolved.
INC-194865 · Issue 695620
Corrected report definition save-as-image option
Resolved in Pega Version 8.8
Attempting to save a report definition as an image resulted in an access denied error stating "Browser fingerprint validation failed : A request was received with an invalid or missing browser fingerprint. The request was denied", and the user session was closed. The security SECU0017 alert is generated when a request is sent to a Pega application and the browser fingerprint is either missing or does not match the expected value. The system tries to check the type of request for every requestor ID and fetch the CSRF token, but in this case it was not matching with the token present on the requestor thread. This has been resolved by adding scripts to send the hidden input value needed.
INC-198571 · Issue 708634
SSO update
Resolved in Pega Version 8.8
In order to ensure shared SSO direct links are used as intended, an update has been made which will explicitly require re-authentication for each use of a direct link.
INC-202702 · Issue 713725
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.8
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.