Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated Critical on the CVSS scale.
We would like to thank Mohamad Shokor for working with us to help protect our clients regarding Default Operators. Pega issued this Security Advisory to remind clients of our leading practices as found in our installation and security checklist guides.
Default Operators have been identified by OWASP as a security threat, as they can be accompanied by known user/password combinations.
Default Operators are shipped as disabled in Pega Infinity 8.X versions and will be removed for new Pega Infinity ‘23 deployments. Clients who have upgraded from a version prior to 8.x may be affected.
The researcher contacted clients who had not changed the passwords of their default operators.
For all clients, guidance is being provided as follows: https://docs.pega.com/bundle/platform-88/page/platform/security/securit….
To prevent unauthorized access with default passwords, change the passwords for all default operators. Disable or delete the operator IDs that you do not plan to use.
Note: The passwords should be changed for disabled operators as well.
It is very important to keep your Pega systems current on the latest patch releases.
For more detailed information, please review your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on April 24, 2023, in My Support Portal.
|CVE Details||C23 - Initial CVE||*C23 - New CVE|
|Software / Product||Pega Platform||Pega Platform|
|Affected Versions||From 7.4 to 8.8.X||From 6.1-7.3.1|
|Description||Default Operators||Default Operators|
*In an effort to more accurately represent the C23 vulnerability we opted to break it out into two separate CVE’s, one for versions 6.1-7.3.1 and a second for versions 7.4- 8.8.x.