Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

SR-113624 · Issue 167070

Enabling out-of-the-box Security Policies now redirects immediately

Resolved in Pega Version 7.1.7

When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.

SR-118077 · Issue 170104

Excessive logging addressed in Pega Mobile 4.3

Resolved in Pega Version 7.1.7

In PegaMobile, the oLog debugging statements were generating excessive log files. This has been addressed in Pega Mobile 4.3.

SR-118880 · Issue 172588

Change Password redirect loop fixed

Resolved in Pega Version 7.1.7

When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.

SR-A87291 · Issue 255631

JDBC password encryption check logic updated

Resolved in Pega Version 7.2.2

When using a Database instance with a JDBC connection URL, the specified password is encrypted. An issue was occurring where multiple saves of the instance caused the encrypted password to be encrypted again, causing the agent to lose access to the DB due to an authentication failure. The problem was traced to a logic flaw in the method used to check whether the password was already encrypted, and has been fixed.

SR-A91802 · Issue 260001

Apache Struts JARS updated to improve security

Resolved in Pega Version 7.2.2

The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

SR-A76763 · Issue 252485

Ensured Dirty pop up appears for mobile log off

Resolved in Pega Version 7.2.2

While closing a dirty form on a mobile device, the warning popup was not shown while logging off. A check has been added to control_actions so logging out will return 'if dirty' to resolve this.

SR-A87698 · Issue 256038

SQL info stripped from user-view DB2 error codes

Resolved in Pega Version 7.2.2

A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.

SR-A87698 · Issue 260087

SQL info stripped from user-view DB2 error codes

Resolved in Pega Version 7.2.2

A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.

SR-A87992 · Issue 258338

OperatorID page handling corrected for authentication failures

Resolved in Pega Version 7.2.2

A valid authentication attempt with security policies and password lock-out feature enabled caused the 'OperatorID' to be present in all the threads, but when the user made an invalid attempt first and then a valid attempt, the 'OperatorID' page was visible only in 'STANDARD' thread and empty in other threads. This was an issue with the method used to update the failure count for authentication attempts, and has been corrected.

SR-A90144 · Issue 259472

Apache Struts JARS updated to improve security

Resolved in Pega Version 7.2.2

The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us