SR-D55508 · Issue 521862
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.4
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56409 · Issue 520743
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.4
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D62949 · Issue 527502
XSS protection added
Resolved in Pega Version 8.4
The CrossScriptingFilter API has been applied to address a potential XSS issue related to stream rule parameters used in the request header.
SR-D63232 · Issue 524295
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.4
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D63727 · Issue 531726
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D71378 · Issue 533282
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
INC-174321 · Issue 664240
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.4.6
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
INC-184756 · Issue 667323
Static assembler correctly creates temp directory
Resolved in Pega Version 8.4.6
Static Assembly CLI was failing while creating a temp directory. This was traced to an issue with staticAssembler.xml, and has been resolved. In addition, security improvements have been added to the XML transformer.
INC-190722 · Issue 676403
Ruleset Restoration Utility repaired
Resolved in Pega Version 8.4.6
Attempting to use the standard Ruleset Restoration utility after update was resulting in a "Status:fail Operator:Unauthenticated or not available Node:No ID available" error message. This was a missed use case for the refactoring done around importing rules, and was caused by the utility calling the deprecated Importable.isValidImport() method. This has been resolved by updating the import activity to restore its functionality.
INC-161984 · Issue 638858
Web Tier busy threads released on timeout
Resolved in Pega Version 8.7
Tomcat Web Tier Busy Threads were not being correctly released, causing stability and performance problems that included health check pings not receiving a thread to service the request so the node was marked as bad, users were quiesced, and the node replaced. Investigation showed the 'put' on the blocking queue did not time out when the queue was full and waited indefinitely, keeping the thread blocked. To resolve this, the system will use 'offer' on the blocking queue instead of 'put' to force thread release on timeout. In addition, debug logs have been added to understand when the offer (or Put) does not succeed and the state of the queue that is causing this issue; the debug logs for class com.pega.pegarules.session.internal.serverpush.RoboticAutomationImpl should be enabled only if the thread busy issue is observed and for limited time window while actively debugging.