C21 Security Advisory
Received C21 Security Advisory from Pega today and trying to understand the criteria whether this issue impacts our environments or not. Does anybody has more information regarding what is the actual issue.
Is Pega referring local authentication as the "PRServlet" default login which has both authentication and authorization happens in pega? and is that Authentication being referred as local authentication?
If multi-factor authentication is utilized in combination with local authentication - Does it referring the custom authentication using Authentication Service from Pega platform and Authorization happens in Pega by Operator validation?
Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has identified a high severity security vulnerability in versions 8.2.1 – 8.6.1 of Pega Infinity(tm).
Pega has created the C21 Hotfix for each relevant version to remediate this issue. You are receiving this communication because you are a designated security contact for your organization, and we believe your organization is running one of the impacted versions of Pega Infinity.
Criteria to determine if systems are impacted:
If the system(s) in question does not use local authentication at all, this mitigates the problem.
If one-time password / ‘forgot password’ functionality is not enabled for locally authenticated users, this mitigates the problem.
Received C21 Security Advisory from Pega today and trying to understand the criteria whether this issue impacts our environments or not. Does anybody has more information regarding what is the actual issue.
Is Pega referring local authentication as the "PRServlet" default login which has both authentication and authorization happens in pega? and is that Authentication being referred as local authentication?
If multi-factor authentication is utilized in combination with local authentication - Does it referring the custom authentication using Authentication Service from Pega platform and Authorization happens in Pega by Operator validation?
Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has identified a high severity security vulnerability in versions 8.2.1 – 8.6.1 of Pega Infinity(tm).
Pega has created the C21 Hotfix for each relevant version to remediate this issue. You are receiving this communication because you are a designated security contact for your organization, and we believe your organization is running one of the impacted versions of Pega Infinity.
Criteria to determine if systems are impacted:
If the system(s) in question does not use local authentication at all, this mitigates the problem.
If one-time password / ‘forgot password’ functionality is not enabled for locally authenticated users, this mitigates the problem.
If multi-factor authentication is utilized in combination with local authentication, this mitigates the problem.
Incessant Technologies
IN
Pegasystems Inc.
US
Hi @CHAVAK01
We'd like to request that you open an incident with our Support Team to further assist you in MySupport Portal
Please reference this post in your incident and let us know the ID so we can track for you here.
Thank you in advance!
Updated: 31 Aug 2021 15:40 EDT
Tech Mahindra
IN
Received C21 Security Advisory from Pega and trying to understand the criteria whether this issue impacts our environments or not.
Does anybody have more information regarding the Hot Fix and How to verify the Fix?
Pega Application installed in Cloud and the version is 8.2.8
Pegasystems Inc.
US
Hi @PEGA028293,
Please open a ticket with our Support Engineers. They will be able to assist you.
Please let us know your INC ID so that we may track.
Thanks!
Updated: 31 Aug 2021 15:47 EDT
Vodafone GmbH
DE
We received the C21 Security Advisory (https://collaborate.pega.com/discussion/pega-security-advisory-c21) and the SR-104823 - "C21 Security Advisory - URGENT ACTION REQUIRED" from Pega on Thursday, August 25th.
I have run multiple hotfix scans on a Pega 8.5.2 installation since Friday morning that should be affected by this high severity security vulnerability. Before running the hotfix scan, I always downloaded the latest hotfix catalog.
Nevertheless, no critical hotfixes are reported as missing after these hotfix scans (last scan with Catalog generation date: 8/31/21 9:41 AM). The HFIX-81214 hotfix, which would correspond to our Pega 8.5.2 installation for this high severity security vulnerability, is not reported as a missing critical hotfix.
Is that expected behavior? Could it be that we are missing other critical hotfixes and the Pega hotfix scan has an issue?
By the way, on Friday I asked the same question in the SR-104823 but haven't received an answer yet.
Pegasystems Inc.
US
HI @MatthiasM0463,
I reached out to my team and they advised me that they will continue to work with you on your SR-104823 to assist you with your questions.
Thank you!
Energy Safe Australia
AU
@MarissaRogers We are getting issues after installing C21 hotfix, too many errors on log file. Raised SR
| INC-190541 |
Pegasystems Inc.
US
Thanks @DharanitharanR5430!
I have attached this PCC Question to your INC.
Pegasystems Inc.
GB
@DharanitharanR5430 via the support ticket I can see that the issue resolved itself. Nov 7, 2021
After clearing pr_data_admin_sec_sde_cdk table, web node throwing failed to decryp Pega-RULES cookie
We were not able to replicate the issue, a debug patch had been given and should the issue happens again in the future, please install the debug patch. The initial issue that was solved by clearing pr_data_admin_sec_sde_cdk table has been fixed on 8.4.2, please apply the latest 8.4.x patch.
Pegasystems Inc.
GB
@MatthiasM0463 I can see that on 7 October you agreed to close the support incident as all relevant hotfixes were downloaded and installed and this resolve the vulnerability.