CVEs & pega platform 7.4
Hi, where can I find information if we have solutions for the following CVEs for a client on pega platform 7.4?
CVE-2020-8774 - reflected cross-site scripting
CVE-2020-24353 - cross-site scripting
CVE-2020-11023, CVE-2020-11022 - jquery versions
***Edited by Moderator Marije to add Capability tags***
Accepted Solution
Updated: 21 Mar 2022 9:19 EDT
Pegasystems Inc.
GB
@yipy1 your first port of call would probably be to check the Security Bulletins which you can get to via the Pega Trust Centre
The Pega Documentation also lists Security Advisories.
The forum discussions list notifications regarding version-specific Critical Hotfixes.
You can also check the following link for details on whether or not these would actually have any impact.
Pega 7.4 which is an older version and therefore it is using an earlier version of jquery.
We would urge you to consider upgrading to the latest versions of Pega because of important security and reliability improvements that are delivered with each new release. T
Please find below 'Pega software maintenance and extended support policy'
Answers to your specific Common Vulnerabilities and Exposures:
@yipy1 your first port of call would probably be to check the Security Bulletins which you can get to via the Pega Trust Centre
The Pega Documentation also lists Security Advisories.
The forum discussions list notifications regarding version-specific Critical Hotfixes.
You can also check the following link for details on whether or not these would actually have any impact.
Pega 7.4 which is an older version and therefore it is using an earlier version of jquery.
We would urge you to consider upgrading to the latest versions of Pega because of important security and reliability improvements that are delivered with each new release. T
Please find below 'Pega software maintenance and extended support policy'
Answers to your specific Common Vulnerabilities and Exposures:
1. CVE-2020-8774 this change can be done only on the environment level as the local change to the prweb.war/diagnostic/error.jsp and status.jsp. Change: Before - <%= new Date(System.currentTimeMillis()) %>. <%= sETierVersion %> After - <%= new Date(System.currentTimeMillis()) %>. Remove the <%= sETierVersion %>
ie please suggest below local-change: 1. Open prweb.war archive in the distribution media 2. Navigate to the Diagnostic folder 3. Open the Status.jsp file 4. Comment out or remove the code which is responsible to display the engine version: Before - <%= new Date(System.currentTimeMillis()) %>. <%= sETierVersion %> After - <%= new Date(System.currentTimeMillis()) %>. 5. Save the file or repackage the war file and deploy it to the application server 6. Restart the nodes
For Pega Cloud deployment: Please apply this change to the CCB so this change will be in every deployment/restart
2. CVE-2021-27653 - Refer the security B21 advisory. https://collaborate.pega.com/discussion/pega-security-advisory-%E2%80%93-b21
I believe for 7.4 you'll need to log a support incident requesting
HFIX-81704 HFIX-81706 HFIX-81735 HFIX-50728
3. CVE-2020-11023 and CVE-2020-11022
As documented in the following articles, you will need to upgrade to 8.5.2 or higher to get the latest JQuery version:
https://collaborate.pega.com/question/jquery-and-jquery-ui-libraries-used-pega-841-and-851 https://collaborate.pega.com/question/pega-84-has-vulnerable-jquery-341
Upgrading JQuery is very complex and would introduce major regression; thus Pega only upgrades JQuery in new releases to address security fixes.
Since you are on a much older 7.4 version, you should look to upgrade to the latest pega platform version to take advantage of the latest security improvements. JQuery cannot be provided as a hotfix.
In 8.6 version the jQuery is updated to 3.5.1, As per this url: https://github.com/advisories/GHSA-gxr4-xjj5-5px2, 3.5.1 is not an affected version for vulnerability in jQuery,