SR-D55508 · Issue 521862
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.4
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56409 · Issue 520743
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.4
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D62949 · Issue 527502
XSS protection added
Resolved in Pega Version 8.4
The CrossScriptingFilter API has been applied to address a potential XSS issue related to stream rule parameters used in the request header.
SR-D63232 · Issue 524295
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.4
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D63727 · Issue 531726
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D71378 · Issue 533282
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D48396 · Issue 520424
Hazelcast upgraded to resolve node startup issue
Resolved in Pega Version 8.1.8
Post data upgrade, the ADM tier failed to start and the error "java.lang.IllegalStateException: Node failed to start!" appeared. This was traced to a dormant bug in Hazelcast 3.11 that caused starting nodes to fail when the Hazelcast master node was shutting down, which was exposed by recent Pega changes made to enable parallel restarts of nodes in Cloud environments. Hazelcast delivered a fix for the parallel restart problem and the hotfixed jar has been merged into the platform.
SR-D52249 · Issue 515703
Resolved Oracle thread deadlock for Merge SQL
Resolved in Pega Version 8.1.8
After starting a large cluster and running it for a couple of days, Oracle Deadlocks started to appear due to resource contention during MERGE SQL execution on the PR_INDEX_REFERENCE database table. The "ORA-00060: deadlock detected while waiting for resource" ERROR occur continuously every 10 minutes during the "MasterForNewAgents" Daemon run. All JVMs are impacted by the ERROR/Deadlock. Investigation showed that even though the identified / problematic Data-Agent_queue instances were disabled for PegaAESRemote, the MERGE SQLs continued to fire. To resolve this, an update has been made so the system will skip the copy of rule reference property from RAQ, while creating DAQ.
SR-D55160 · Issue 520356
Namibia and Botswana added to Currency Symbol values
Resolved in Pega Version 8.1.8
Support has been added for the Namibia (en_NA) and Botswana (en_BW) locales in the default Currency Symbol values.
SR-D56527 · Issue 538302
DSS PegaAESREmote*ResetTableStats set to false
Resolved in Pega Version 8.1.8
In order to prevent an issue with resetting table stats that potentially impacts postgres in an unintended fashion, the DSS PegaAESREmote*ResetTableStats has been set to false.