INC-204897 · Issue 695409
Log4j file security vulnerability issue addressed
Resolved in Pega Version 8.7
A zero-day vulnerability was identified in the Apache Log4j logging software which could potentially allow malicious actors to take control of organizational networks. Pega has immediately and thoroughly addressed this issue. More information can be found at https://docs.pega.com/security-advisory/security-advisory-apache-log4j-zero-day-vulnerability .
INC-161984 · Issue 638858
Web Tier busy threads released on timeout
Resolved in Pega Version 8.7
Tomcat Web Tier Busy Threads were not being correctly released, causing stability and performance problems that included health check pings not receiving a thread to service the request so the node was marked as bad, users were quiesced, and the node replaced. Investigation showed the 'put' on the blocking queue did not time out when the queue was full and waited indefinitely, keeping the thread blocked. To resolve this, the system will use 'offer' on the blocking queue instead of 'put' to force thread release on timeout. In addition, debug logs have been added to understand when the offer (or Put) does not succeed and the state of the queue that is causing this issue; the debug logs for class com.pega.pegarules.session.internal.serverpush.RoboticAutomationImpl should be enabled only if the thread busy issue is observed and for limited time window while actively debugging.
INC-164794 · Issue 637993
Apache Commons libraries updated
Resolved in Pega Version 8.7
Apache commons-codec has been updated to version 1.15 , and Apache commons-io has been updated to version 2.7.
INC-168696 · Issue 645531
Improved logging for column population exceptions
Resolved in Pega Version 8.7
Improvements have been added to logging to assist in capturing issues with OptimizationMetadata that could lead to a ColumnPopulationException.
INC-170599 · Issue 645222
DSS partition count setting made backward compatible
Resolved in Pega Version 8.7
After upgrade, the DSS 'dsm/services/stream/pyTopicPartitionsCount' used to limit the number of partitions was no longer working and instead used the default value of 20. This has been corrected and made backwards compatible.
INC-171314 · Issue 656864
Check added to ensure read locks are released
Resolved in Pega Version 8.7
Read locks were not being properly released if a thread was holding a read lock and the system encountered an issue such as an out of memory condition. To resolve this, an update has been made to DeclarativePageDefinitionCacheImpl which will check whether a thread holds any read lock before trying to acquire a write lock, and if so release all the read locks held by that thread.
INC-172675 · Issue 649455
Configuration added for extending queue processor timeout
Resolved in Pega Version 8.7
Alerts for queue processor (QP) items which took more than 15 minutes to run could result in the system marking the node as 'unhealthy'. In environments with Pega Health Check enabled, this would shut down the node gracefully. It was not possible to change this default as it was hardcoded. In order to support systems that may have custom processes that run beyond 15 minutes, a a new setting has been exposed that allows configuration of the interval after which a node with long-running queue processor is marked as unhealthy and is restarted. By default this remains 900000 milliseconds / 900 seconds / 15 minutes, but it may be adjusted up to 24 hours to avoid premature node shutdown. The stale thread detection mechanism will take that setting into account and use the provided value or default to 15 minutes if the value was not provided. In addition, the threshold's units in the UI have been changed from ms to seconds.
INC-173162 · Issue 650795
Certificate match will use Subject Distinguished Name
Resolved in Pega Version 8.7
Signature verification was failing due to the system not finding the matching root certificate for the chain. The root certificate was in the trust store, but the system found a different certificate first and that other certificate (an intermediate certificate) was not considered a valid certificate for validating the whole certificate chain. This was traced to filtering on the Issuer Distinguished Name (DN) instead of the Subject DN and was due to intermediate certificates potentially having the same Issuer as a root certificate (e.g. if that root certificate was used to create the intermediate certificate). To resolve this, an update has been made to check the Subject DN instead of Issuer DN.
INC-173663 · Issue 651302
Resolved Push Node Daily Information exception
Resolved in Pega Version 8.7
The "Push Nodes Info Daily" agent was generating an exception on each of the nodes. This has been resolved by enhancing the PegaAESRemote code to handle the exception and get the node info locally, then push it to the console when it is not able to get it via the cluster management API.
INC-174296 · Issue 650756
Delayed JS/DF initialization failures will trigger alert
Resolved in Pega Version 8.7
In order to ensure better cluster monitoring, a PEGA0102 alert has been added for job registration failure that will be triggered if there are startup issues. The logging will include the JOB_NAME for improved troubleshooting.