Question
Republic Services
US
Last activity: 13 Apr 2022 11:03 EDT
Security Hotfix A22 - Pega Platform : Pega Security Advisory A22 Vulnerability – Hotfix Matrix.
Pega Security Advisory A22 Vulnerability – Hotfix Matrix.
As the hotfix is installed in our DEV and QA and we would like to know the answers for the questions below.
Email says " 1) "our clients may experience an application disruption because of this remediation" , What kind of disruption we might can face? can you elaborate? 2) Is there any way to identify which rules can cause this injection? 3) And the email says "hot fix will prevent certain client-created activities and rules with Java code from running" , What activities will be impacted ? All the activities we created as part of development ? can you share some examples? 4)Do we need to do any validations or testing post or pre hot fix installation?
Appreciate your response
Pegasystems Inc.
NL
Hi @Nagenderm4937,
With this hotfix we're strengthening our Java Injection protection. If for example you're using specific special functions in Java steps, these might get blocked now and will not execute. See also: https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#security/rule-security/configuring-java-injection-check-tsk.htm
You can search for the keywords mentioned in that document, such as getRuntime, to help identify potentially affected rules like activities and JSPs. You only need to focus your verification and testing on activities that have Java steps or Java used in other ruletypes like JSPs.
Modern designed Pega application do not use custom Java. Older applications might rely on some custom Java code, however that Java code should not contain any function calls that we're blocking with this hotfix. Please take this moment to consider modernizing your applications to further reduce reliance on Java code.
Hope this answers some of your questions.
Kind regards,