Skip to main content

Security Advisory

 Daniel Mercurio (DanielMercurio)
PEGA
Manager, Knowledge Management
Pegasystems Inc.
US
DanielMercurio Member since 2019 2 posts
PEGA
Posted: Jul 1, 2024
Last activity: Oct 1, 2024
Posted: 1 Jul 2024 17:07 EDT
Last activity: 1 Oct 2024 15:12 EDT

ACTION REQUIRED: FTP and SFTP Connections

Background 

To optimize client system security, the Pega Infinity versions 24.1, 23.1.2, and 8.8.5 and above have disabled the ssh-rsa algorithm for FTP and SFTP connections originating from Pega Infinity environments. The ssh-rsa algorithm uses SHA-1, which is considered insecure and vulnerable to collision attacks. NIST recommends that all usage of SHA-1 should be replaced with newer and more secure algorithms. The latest version of the jsch library disables this algorithm by default.  

Who does this impact? 

You are affected if: 

  • Your Pega Infinity environment connects to a FTP or SFTP server that uses ssh-rsa host keys or public keys, and 

  • You are on Pega Infinity versions 24.1, 23.1.2, and 8.8.5 and above  

This issue does not impact the Pega Cloud SFTP Service. For more information on the Pega Cloud SFTP service, see Using Pega Cloud SFTP service

Error Message 

Non-Pega Cloud clients: non-Pega Cloud clients who are impacted will find the following error message the Pega logs. 

Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" serverProposal="ssh-rsa"

Client Action Required 

Clients must review the FTP/SFTP servers in their applications to update to the following algorithms immediately. If your Pega Infinity environment connects to FTP or SFTP servers onsite, please verify the host key or public key used by these servers. If the key was generated using the ssh-rsa algorithm, you should update it to a newer algorithm. The following algorithms are recommended and supported for all version of Pega Infinity that support FTP/SFTP servers:   

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

In addition to the above, the following algorithms are supported as of 24.1, 23.1.2, and 8.8.5:

  • ssh-ed25519

  • rsa-sha2-512

  • rsa-sha2-256 

Pega Cloud clients: For Pega Cloud clients, the Pega Cloud team will be making changes to disable the ssh-rsa algorithm for FTP and SFTP connections originating from Pega Infinity environments. The deadline for Pega Cloud clients to make the required change is September 2024. 

If you have any questions, please raise a ticket via My Support Portal

For other deprecated features in 24.1, see Removed or deprecated features and deployment options. 

To see attachments, please log in.
Pega Platform 8.8.5
Pega Platform '24.1
Pega Platform '23.1.2
Pega Platform
Pega Platform

Did you find this content helpful?
Yes
No

  • Reply
  • Venkata Rama Krishna Chinni
Posted: 5 months ago
Posted: 29 Jul 2024 10:55 EDT
Anshul Sinha (AnshulS39)
ANZ Banking Group Ltd

ANZ Banking Group Ltd
IN

Does these changes have any impact on the BIX Extraction on Pega Cloud 8.8.5 version, where its all uses a Repository APIs for storing and retrieving files into S3 Buckets

To see attachments, please log in.
Posted: 5 months ago
Posted: 29 Jul 2024 15:58 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

Hi @AnshulS39 - there is no impact if the BIX extraction is directed at an S3 repository. This advisory is only relevant for SFTP connections. No changes are necessary if the BIX extraction is using Repository APIs for S3.

To see attachments, please log in.
Posted: 5 months ago
Posted: 1 Aug 2024 5:00 EDT
Markus Moranz (moram)
PEGA
Principal Enterprise Architect
Pegasystems Inc.
DE

@DanielMercurio  You mention "The latest version of the jsch library disables this algorithm by default.".

Since we seem not to provide an FTP/SFTP-Connector OOTB that supports that within platform, we point to third party java library that must be imported by developers.

Can you please provide a URL to that latest version you refer to in this document here and also ask to provide same linked URL in https://docs.pega.com/bundle/platform/page/platform/release-notes/deprecated-features.html in section "Feature deprecation starting in Pega Platform '24.1" in subsection "ssh-rsa algorithm for FTP and SFTP connections", where same statement is made?

The original source of jsch at http://www.jcraft.com/jsch/ seems to show no update. I am only aware of alternative jsch-branch at https://github.com/mwiede/jsch?tab=readme-ov-file#readme that explains in its ReadMe that the branch was started also for the security-reason mentioned here.

To see attachments, please log in.
Posted: 5 months ago
Updated: 4 months ago
Posted: 1 Aug 2024 9:54 EDT
Updated: 4 Sep 2024 13:39 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

Hi @moram - The JSCH library is provided out of the box by Pega, developers should not need to import it. The out of the box FTP/SFTP connectors (https://docs.pega.com/bundle/platform/page/platform/reference/methods/c…) use this library. This would be the scenario if you have configured an SFTP server with an FTP Server data instance: https://docs.pega.com/bundle/platform/page/platform/data-integration/ft…

Starting in the Pega Infinity versions listed above, we have moved from the original library, http://www.jcraft.com/jsch/, to the https://github.com/mwiede/jsch alternative that you have referenced. This is the technical reason behind the change in default algorithm support.

To see attachments, please log in.
Posted: 4 months ago
Posted: 4 Sep 2024 12:10 EDT
Markus Moranz (moram)
PEGA
Principal Enterprise Architect
Pegasystems Inc.
DE

@Adam TalbotIn der reference in documentation I do read only "Connect-FTP", but not use of "mwiede libs" for implementation of an SFTP "outbound" connect that allows clients to PULL files to Pega with low-code configuration.

In documentation for Connect-FTP you link above related content links further to "Secure file transfer in Pega (https://docs.pega.com/bundle/platform/page/platform/data-integration/se…) in Cloud context and I do read sentence in that article "Pega Cloud® services and on-premises users can securely transfer files to or from any Pega Platform™ application by using two file transfer protocols (FTP)."

Subsequent 2 protocols SFTP and FTPS are explained but the next section talks SFTP Service in Pega Cloud.

There is no mention that a rule-configurable Connect-SFTP or Connect-FTP with options to wrap it with "S"="secure" exists, which allows PULLING of files from an external passive SFTP-service to Pega file storage for further processing.

To me it seems that our clients are forced into Java-coding, since this use case ("Pull from external SFTP service") does not have a low-code-configurable Connect rule template, that - behind the scenes - makes use of "mwiede libs" internally in platform OOTB.

To see attachments, please log in.
Posted: 4 months ago
Posted: 23 Aug 2024 2:04 EDT
Giuliano Mancini (GiulianoM9097)
NTT DATA ITALIA S.P.A.

NTT DATA ITALIA S.P.A.
IT

@DanielMercurio

If I want to verify that my SFTP Servers are already adapted to the PEGA changes I can do it in two ways:

1) From a client that reaches the server, launch the command ssh-keyscan -v -t rsa,ecdsa,ed25519 and verify that for example debug1 is returned: kex: host key algorithm: ecdsa-sha2-nistp384

2) Attempt a connection by forcing a host key algorithm with one of the compliant ones for example sftp -oHostKeyAlgorithms=ecdsa-sha2-nistp384 user@SFTPServer and verify that it is accepted (if it is not accepted you typically get Unable to negotiate, no matching host key type found. Their offer ssh-rsa,ssh-dss

Thanks in advance

To see attachments, please log in.
Posted: 3 months ago
Posted: 27 Sep 2024 13:41 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@GiulianoM9097 This is all correct. Personally I recommend using ssh-keyscan with the -v flag, as it is an easy check to run in most environments.

Additionally, if you want to verify from Pega Infinity, you can enable the pxIntegration.Connector.FTP log group in Admin Studio. When you connect to an SFTP server from Pega Infinity, this will print out diagnostic information about the security handshake process, which includes printing out the negotiated host key algorithm to use. Depending on what access you have to various resources, that could be an easier approach.

To see attachments, please log in.
Posted: 4 months ago
Posted: 2 Sep 2024 3:37 EDT
Gilmer Torres (GilmerT5)
Blue Zone Consulting Partners
Pega Developer
Blue Zone Consulting Partners
MX

@DanielMercurio Currently my application is using Pega Infinity – Pega Platform 8.8.3. Does this change will affect my FTP and SFTP connections? or it will just affect version 8.8.5 and above?

To see attachments, please log in.
Posted: 4 months ago
Posted: 4 Sep 2024 11:45 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@GilmerT5 If your Pega Infinity version is 8.8.3, and you are not on Pega Cloud, this change does not affect you yet. This change will only affect your connections after your Pega Infinity environment is patched to 8.8.5, or updated to 23.1.2 or higher, or 24.1.0 or higher. However, ssh-rsa is a deprecated security algorithm. It is advisable to update to a newer algorithm even if you are not on a version where it is required.

If you are on Pega Cloud, you will have received a separate communication regarding ssh-rsa support, and it will affect all Pega Infinity versions. But this is only true if you are running on Pega Cloud.

To see attachments, please log in.
Posted: 4 months ago
Posted: 4 Sep 2024 11:54 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@SandeepJ9518 Yes, you should create your public keys with a newer algorithm instead of ssh-rsa. The process to do this will depend on the SFTP server and the specific third-party software you are using. If you need dedicated assistance working with your SFTP software, I recommend opening a ticket via My Support Portal so that someone can work with you. Whoever owns your SFTP server may also know what commands to use.

To see attachments, please log in.
Posted: 3 months ago
Posted: 27 Sep 2024 13:31 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@ReshmaK3 If you are using Connect FTP rules, if the server configured in the rule is an SFTP server, then you may be impacted. Additionally, if you have written a custom activity that connects to an SFTP server, then you may be impacted. For those SFTP connections, if you are connecting to your own self-hosted SFTP server, then you should verify if it uses an ssh-rsa host key. If it does, update the host key to use a newer algorithm.

Note, Pega-provided SFTP servers are already configured to use newer algorithms.

To see attachments, please log in.
Posted: 3 months ago
Posted: 1 Oct 2024 13:54 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@ReshmaK3 Assuming your Pega Infinity '23 environment is on-prem or client-managed cloud (i.e. not a Pega Cloud environment), the change won't be enforced until you upgrade to a minimum of 23.1.2 or 24.1.0. If you specifically need the change to be enforced earlier than that, I would raise a ticket on My Support Portal, but generally it shouldn't be necessary.

To see attachments, please log in.
Posted: 3 months ago
Posted: 1 Oct 2024 15:01 EDT
Adam Talbot (Adam Talbot)
PEGA
Manager, Cloud Engineering
Pegasystems Inc.
US

@ReshmaK3 For applications in Pega Cloud, you should have received a separate CAD regarding these changes. In Pega Cloud, ssh-rsa will no longer be supported for any release, including 23.1.0. If your sftp servers are still using ssh-rsa host keys, and you need continued ssh-rsa support, you should raise a ticket as soon as possible so they can work with you on that. If you no longer need ssh-rsa support, then you don't need to take any action.

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice