INC-196414 · Issue 684238
OAuth token refreshed when revoked on source
Resolved in Pega Version 8.7
When an OAuth token was used to authorize the APIs in the system, revoking the token at the source, i.e. from the Service side, did not automatically refresh the token and a logoff/logon was required before a fresh token was generated. This has been resolved by adding an update to explicitly purge revoked tokens.
INC-196431 · Issue 684886
Refresh assignment checks updated
Resolved in Pega Version 8.7
Additional privilege checks have been added to refresh assignment.
INC-199303 · Issue 690629
Guided Tour working from Actions menu
Resolved in Pega Version 8.7
After updating from Pega 8.4 to Pega 8.5, "Manage a Guided Tour" was no longer working under a local action when called from the Actions menu on a work object. An unspecified error message appeared in the tracer. Investigation showed there was a null pointer error caused by the menu being invoked on an invalid page, and this was traced to updated authentication requirements: registration at the portal is not reliable as it is thread-scoped and run only once. The thread name is not guaranteed to stay the same so subsequent invocations of the tour activities failed. This has been resolved by modifying the call registration function to handle the security issues related to the generation of the menu path.
INC-200299 · Issue 689561
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.7
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after upgrade new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.
INC-204897 · Issue 695409
Log4j file security vulnerability issue addressed
Resolved in Pega Version 8.7
A zero-day vulnerability was identified in the Apache Log4j logging software which could potentially allow malicious actors to take control of organizational networks. Pega has immediately and thoroughly addressed this issue. More information can be found at https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability .
SR-113624 · Issue 167070
Enabling out-of-the-box Security Policies now redirects immediately
Resolved in Pega Version 7.1.7
When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.
SR-118880 · Issue 172588
Change Password redirect loop fixed
Resolved in Pega Version 7.1.7
When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.