Pega continually works to update 3rd party libraries to protect client environments. Three vulnerabilities were recently identified in the JsonWebToken software that could lead to unintended actions as described below.
A table listing how Pega products and versions are affected, based on third party usage, is also provided.
|
CVE |
Rating* |
Description |
Impact |
|
Medium |
Unrestricted key type could lead to legacy keys usage |
Insecure configuration of key type/algorithm |
|
|
Medium |
Insecure default algorithm in jwt.verify() could lead to signature validation bypass
|
Lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass |
|
|
Medium |
Insecure implementation of key retrieval function could lead to Forgeable tokens
|
Can lead to successful validation of forged tokens |
NB: A further related issue under CVE-2022-23529 has now been withdrawn. Thus, we’ve not included it in our remediation.
*Rating by Pega based on our assessment of the impact on our products.
The table below outlines how Pega products are affected:
|
Pega product |
Affected versions |
Remediation |
|
Pega Platform (utilizing Constellation UI) |
8.6 to 8.8 based on usage of Constellation UI feature in the product |
The Pega platform is unaffected. However, we recommend clients update to the latest patch releases. Pega has updated to the latest JsonWebToken version in our latest deployments. See Constellation UI Service remediation table below. |
|
Customer Service (CS) |
Affected versions of CS will depend on usage of Digital Messaging service (DMS) which is used to support using Pega Intelligent Virtual Assistant™ (IVA) chat on various messaging platforms. Refer to Configuring Digital Messaging channel security to understand the minimum Pega Customer Service™ and Pega Platform™ versions required. |
If DMS is being used, it was updated with latest library of JsonWebToken via Continuous Integration/ Continuous Delivery on January 27, 2023. No client action is required.
|
Constellation UI Service remediation
|
Hosted |
|
Images containing remediation |
|
Pega Cloud / Pega Cloud for Govt |
There is no action required for Pega Cloud customers as the service has been updated by the Pega Cloud team. |
Not Applicable |
|
On-Premises Client Managed Cloud |
Please upgrade to the latest deployment. |
8.8: constellation-appstatic-service/docker-image/1.0.10-20230210125746 (or later) 8.7: constellationui/service/8.7.4-ga-14 (or later) 8.6: constellationui/service/8.6.6-ga-5 (or later) |
For more details on 8.8+ constellation-appstatic-service/docker-image see:
https://documents.constellation.pega.io/static/88/introduction.html
For more details on 8.6/8.7 constellation-service/docker-image review the following:
https://documents.constellation.pega.io/static/86-87/introduction.html
For more details on Constellation Architecture see:
As always, we recommend our clients review our Security Checklist regularly.