HFIX-B2898 Installation
Pega 8.8.3, added HFIX-B2898 to 4 non-production environmnets, 1 is producing this error: Java code injection pattern identified in the java source code. Vulnerable code detected: java.lang.reflect.Array.getLength(paramVal);AddthetypeandarrayTypeattributesparamElem.addAttribute("type","soapenc:Array",xsiNS);paramElem.addAttribute("arrayType","xsd:"+arrayType+'['+arrayLength+']',soapencNS);Createanitemelementforeacharrayvaluefor(intj=0;j<arrayLength;j++){ObjectarrayVal=java.lang.reflect.Array.get(paramVal,j);com.pega.apache.axiom.om.OMElementitemElem=omFactory.createOMElement("item",blankNS,paramElem);CreateastringvaluewiththecorrectformatStringstringVal="";if(arrayType.equals("date")){if(arrayValinstanceofjava.util.Date)stringVal=PRDateFormat.formatXSDDate((java.util.Date)arrayVal);elsethrownewConnectorException("UnexpectedtypeforX
How do I fix this?
Accepted Solution
Updated: 14 Feb 2025 14:42 EST
HCA Healthcare
US
@SteveS39This error message is a false alarm and does not mean your system is actually vulnerable. The code uses reflection methods like java.lang.reflect.Array.getLength, which are safe when used correctly by the HFIX‑B2898 patch. First, verify that the patch is properly installed in the environment showing the error. Next, check for any custom changes that might have accidentally introduced unsafe code. If everything looks normal, you can safely ignore the warning. It is common for security scanners to flag these patterns even when they are secure. In many cases, you can add an exception to your security scanner for this message. Thanks
Updated: 14 Feb 2025 14:42 EST
Pegasystems Inc.
CA
I recommend creating an INC ticket (Product Support ticket) if there is an error due to HFIX.
Accepted Solution
Updated: 14 Feb 2025 14:42 EST
HCA Healthcare
US
@SteveS39This error message is a false alarm and does not mean your system is actually vulnerable. The code uses reflection methods like java.lang.reflect.Array.getLength, which are safe when used correctly by the HFIX‑B2898 patch. First, verify that the patch is properly installed in the environment showing the error. Next, check for any custom changes that might have accidentally introduced unsafe code. If everything looks normal, you can safely ignore the warning. It is common for security scanners to flag these patterns even when they are secure. In many cases, you can add an exception to your security scanner for this message. Thanks
Pegasystems Inc.
GB
@SteveS39 as @RameshSangili correctly suggested, please log an INC via the MSP in order to determine if it was the HFix that caused the issue, and to make sure what actions are required.
Please provide the INC ticket ID in a reply here, so that we can track the issue.
Frontier Communications
US
@MarijeSchillern Our ticket number is INC-C6657. Our dev team is currently working with Pega Support as well. Thanks for your help and recommendations.