Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for one high security vulnerability in Pega Platform. We would like to thank Tomasz Stachowicz for finding this vulnerability.
|
Advisory |
Description |
Impact |
Remediation |
|---|---|---|---|
|
A24 |
XML external entity (XXE) vulnerability |
High: An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Clients with internet-facing applications should update or apply the hotfix. Clients running their own infrastructure should consult their security teams.
|
8.8.3 hotfix 8.8.4 hotfix
8.8.5 Patch release
23.1.0 release
|
We are not aware of any of our clients being compromised as a result of this vulnerability.
We will not provide hotfixes on other prior versions of the platform, nor will we provide steps as part of a local change.
If you are a Pega Cloud client, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments which provides the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Service Request (SR) cases are being created which will provide the relevant hotfixes for you to apply to your PCFG environments.
If you are an on–premises or client-managed cloud client, please review the table below to determine which hotfix correspond to your Pegasystems installation.
Once you have determined the appropriate hotfix ID(s), you can now download your hotfix directly from My Security Hotfixes on My Pega.
This new facility enables self-service access to security hotfixes, without the need to raise a support ticket.
As always, be sure you have appropriate backups in place before applying the hotfixes.
As always, we recommend our clients review our Security Checklist regularly.
CVE Details
|
CVE Details |
XXE issue with PDF Generation |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
From 6.x to 8.8.4 |
|
CVE ID |
CVE-2023-50168 |
|
CVSS Rating |
7.7 |
|
Description |
XML external entity (XXE) Vulnerability |
Hotfixes
A Hotfix exists as noted above for the following releases in standard support: 8.8.3 and 8.8.4. We will not provide hotfixes on other prior versions of the platform, nor are steps available as part of a local change.
A restart will be needed for the hotfix changes to apply.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
XXE issue with PDF Generation |
|---|---|
| 8.8.3 | HFIX-B394 |
|
8.8.4 |
HFIX-B91 |