Pega has identified a high security vulnerability in all versions of the Pega platform, Can you please provide more details on the mentioned high security vulnerabilities , A22 upgrade & timelines. Also please attach the related document.
@Anuj_Malviya_CSSA there is no document available apart from the email notifications that you were sent.,
Details regarding vulnerability will be published as a CVE on May 25th on our Security Bulletins page. At that point, details about the vulnerability will be available in the public domain.
Upgrade and timeline: clients are urged to deploy the hotfix immediately , installation is a fast, safe, and simple action to take.
Attackers with platform developer permissions can potentially insert Java code in Pega Platform to execute OS commands and take malicious actions, such as launching an attack. Although we are not aware of any such malicious actions taking place with our clients, Pega has acted with an abundance of caution to eliminate this possibility.
To determine if a system is impacted, clients can review any activities or rules that contain Java with reference to the information provided in the Pega Community article: Configuring the Java Injection Check. After the hotfix is applied, any java injection code detected will be blocked and there will be no way to allow it to run.
We have been advised that if you have further questions or concerns, please open a support request via My Support Portal.