Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

INC-137709 · Issue 584295

New security role added to restrict access to development-specific classes

Resolved in Pega Version 8.4.3

A new security role and related RAROs have been implemented to allow better security for end users on non-BAC systems. This restricts access to Rules and execution of activities on classes that are development-specific.

INC-139300 · Issue 590270

Additional security for encrypted passwords

Resolved in Pega Version 8.4.3

Handling and cleanup has been updated for encrypted values to enhance security.

INC-130145 · Issue 582854

Null checks added for the presence of roles and dependent roles

Resolved in Pega Version 8.4.3

Frequent Null Pointer errors were being generated relating to SecurityAnalysisForSecurityAdministratorsTask.getCurrentSecurityTaskDetails(). Investigation showed that the Origin and Stack trace tabs were empty, leading to the obj-open of the role failing when the role was not available in the system being utilized. This has been resolved by adding a series of null checks for role existence and dependent roles existence.

INC-130500 · Issue 580622

Cross-site scripting protections updated for authorization

Resolved in Pega Version 8.4.3

Cross-site scripting protections have been updated for various URLs associated with authorization.

INC-134315 · Issue 578368

Resolved 400 error on second browser session

Resolved in Pega Version 8.4.3

When accessing application URLs in two tabs of a browser window, logging into the second session was throwing a 400 invalid request. This has been resolved by adding specified activities to an allow list which will bypass URLObfuscation in un-authenticated mode. Non-listed activities will be processed using URLObfuscation if it is enabled.

INC-135849 · Issue 582938

Encrypted SOAP response token generation updated

Resolved in Pega Version 8.4.3

After configuring a SOAP service that used signature and encryption on the response, the response being created was incorrect and could not be decrypted by the receiver. Investigation showed that the API used to generate the SOAP headers was not setting the wsse11:TokenType element, causing receivers which enforce BSP compliance to fail. This has been resolved by modifying the custom webservices-rt-pega2 jar to set the token type in the case of a response encryption policy.

INC-138354 · Issue 584720

Handling added for samesite cookies with httpOnly

Resolved in Pega Version 8.4.3

After enabling samesite cookies on Google Chrome to support Mashup login, intermittent issues were seen with a non-mashup login where entering the OperatorID and password only resulted in a refresh of the login screen. This was traced to a scenario where an httponly cookie attribute was present along with samesite cookie attributes, and has been resolved by adding handling for a condition where samesite is set and httpOnly is enabled.

INC-139867 · Issue 588756

Additional security for encrypted passwords

Resolved in Pega Version 8.4.3

Handling and cleanup has been updated for encrypted values to enhance security.

INC-142145 · Issue 594916

Resolved 403 error for refresh of incognito window with CSRF

Resolved in Pega Version 8.4.3

Opening the simpleurl in a fresh incognito window opened the work object in a standard thread, but on refresh of the window a 403 error appeared and the screen went blank. This was a missed use case for the recently-added CSRF validation for non-ajax get requests which are redirected post requests. The CSRF token was being validated if pzPostData was in the request, but once the original request was complete the request map was cleared and the pzCtkn value in the request map was empty, resulting in the 403 error. To resolve this, the system will skip CSRF validation for a refresh scenario where the post data request map is empty after the original request, and validation has been added for the blank pyActivity in the request.

INC-130703 · Issue 597253

Operator provisioning on authentication service corrected

Resolved in Pega Version 8.4.3

When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us