INC-225503 · Issue 737019
DSS added to configure outflow signature digest method algorithm
Resolved in Pega Version 8.8
After update, a change was seen in the digest method of a SOAP response. The site was configured to use WS-Security Profile SHA-1 as the digest algorithm, but the warning from the testing tool WCF (Windows Communication Foundation) indicated this was not being followed with the message "the algorithm 'xmlenc#sha256' is not accepted for operation 'Digest'". For better compatibility, the DSS outflowSignatureDigestAlgorithm has been added to support configuring the outflow signature digest method algorithm.
INC-225840 · Issue 730754
Key ID made optional for JWT
Resolved in Pega Version 8.8
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-226479 · Issue 727465
Cross-site scripting filters added to redirect parameters
Resolved in Pega Version 8.8
Cross-site scripting protections have been added to Param.redirect to improve security.
INC-227736 · Issue 744475
Added polling lock to handle CDK Key rotation issues
Resolved in Pega Version 8.8
An error was generated when attempting to open existing encrypted contacts created in the Sales Automation application. This was traced to multiple nodes generating CDKs simultaneously, leading to a race condition, and has been resolved by refactoring the CDK generation code so it will acquire a lock when polling the database to avoid a race condition.
INC-227769 · Issue 731726
ReloadHarness security updated
Resolved in Pega Version 8.8
Security handling has been updated for ReloadHarness to ensure proper CSRF validation.
INC-228169 · Issue 729003
Login error messages updated
Resolved in Pega Version 8.8
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.
INC-232970 · Issue 742011
Security update for MashUp
Resolved in Pega Version 8.8
Cross site scripting protections have been updated for the LoadMashupPage activity and RedirectTo parameter.
INC-163791 · Issue 704030
Simplified default reference time calculations
Resolved in Pega Version 8.8
After a job scheduler was configured to run at Start time = 21:00:00 for Time zone = Europe/London, the scheduler determined 20:00:00 as the next start time. This was due to the calculation for the next start time using the time zone offset calculation pattern for the date and time stored in System-Runtime-Context.pxCreateDateTime, which had difficulty with changes to the time zone definition implemented in the time between the given date and today (meaning the current time) such as daylight savings time. To resolve this, the default reference time from System Runtime Context will be 'now' instead of Date(0).
INC-184964 · Issue 705932
TextMask_Encrypted rule added for use with Oracle
Resolved in Pega Version 8.8
When a property was being encrypted by propertyEncrypt access control policy and masked by propertyRead access control policy, it showed a "@@getMaskedValueOfText" error. This has been resolved with the addition of a new rule pxTextMask_Encrypted for Oracle product type which will remove extra spaces from the SOURCE string to handle ORACLE specific usecases.
INC-186897 · Issue 681030
DSS DisableAutoComplete setting honored
Resolved in Pega Version 8.8
Setting DisableAutoComplete DSS was not working as expected. This was traced to the system not being able to read the DSS value due to timing related to database startup, and has been resolved by directing the system to read the setting in PREnvironment.java instead of from the prconfig.