SR-A99908 · Issue 270284
Purge export logic updated to handle TimeCreated keys that differ by milliseconds
Resolved in Pega Version 7.2.2
Purge archive was failing during export of the archives. Analysis showed that when exporting keys of history class mapped to a table with no blob and pxTimeCreated as Key column, mapping this to a column of Date type on Oracle caused the pzinskeys of history- instances to be recalculated and the millisecond part of the time stamp was rounded in the key to 000.This caused keys which just differed in milliseconds to become duplicates and export failed. This has been resolved by modifying the export logic to handle keys which differ in milliseconds for Blobless History class instances.
SR-A92640 · Issue 266679
Upgrade rules considers DADT instances for mapping
Resolved in Pega Version 7.2.2
When migrating and upgrading the rules tables to a new schema, the _upgradeRuleBase task was trying to remap some work classes/tables to pr_other. This was due to the class name being compared with case sensitivity when the site had DADT instances for which the class name was not same as the class instance. To resolve this, the check has been made case insensitive so DADT instances are not missed.
SR-A102766 · Issue 269648
db2zOS tablespace script logic updated
Resolved in Pega Version 7.2.2
When running the generateddl script against a db2zos database, the tool determines for each table if the current tablespace page size needs to be increased before the DDL changes can be applied. For the pc_work_social table, while the tool included the size of new columns when it calculated the projected table size, it did not take into account the altering of existing columns. This has been fixed by tightening up the JDBC resource handling.
SR-A98103 · Issue 266253
Scheduled recurring Purge/Archive set to reuse specified start time
Resolved in Pega Version 7.2.2
When scheduled to run every day at a particular time, the Purge/Archive function started later each time. This was due to the function using the Agent running time for the rescheduling, starting the next day at the time it ended. The function has now been modified to use the customer-specified start time instead of calculating the Agent time.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87992 · Issue 258338
OperatorID page handling corrected for authentication failures
Resolved in Pega Version 7.2.2
A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.
SR-A90144 · Issue 259472
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93015 · Issue 260000
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A93024 · Issue 259995
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.