We are still on Pega 6.3 SP1. Recently our organization internal security team have identified vulnerability for cross site scripting, related to the FusionChart library that is being used. They are recommending to upgrade to the latest version of the FusionChart library to resolve the vulnerability. But we understand that the FusionChart library in PEGA is shipped along prpublic jar and it cannot be just upgraded stand alone. It requires a Pega Version upgrade to 7.x or 8.x, which we don't have plans in the near future. Given this situation, is there any other option to resolve the problem? Is there a way to delete specific libraries related to FusionChart library alone, which could help?
Also, what are the different ruletypes in pega which uses this FusionChart library? Is it just the reporting rules or it is used by other rule types as well? The reason behind this question is to understand the impact behind deleting the specific fusionchart class entries from the engine class table.
***Edited by Moderator Marissa to update platform capability tags; update SR Details****
It seems issue is with fusion chart library.It is a third party library.They have fixed it in later versions which is being used in a later version of pega.Hence you should upgrade to higher version of pega.
Posted: 3 years ago
Posted: 30 Sep 2019 13:20 EDT
Sivaguru Krishnamurthy (SivaguruK)
Capital One Bank
Capital One Bank
Thanks for the response Abhinav. Yes, definitely Pega upgrade will fix it. But that is a bigger project which is currently not in our pipeline. So looking for a different fix to this vulnerability, which can be done without the upgrade, as this is a security findings.