Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for one critical security vulnerability in Pega Platform:
Advisory |
Description |
Impact |
Remediation |
B24 |
Improper Privilege Management |
Critical: Improper Privilege Management vulnerability may allow an authenticated low privileged attacker to elevate privileges on the targeted system.
Clients with internet-facing applications should update or apply the hotfix. Clients running their own infrastructure should consult their security teams.
|
7.3 to 7.4 hotfixes
8.x hotfixes
23.1.0/23.1.1 hotfix 8.8.5 patch release
24.1.1 patch release
|
We are not aware of any of our clients being compromised as a result of this vulnerability.
We will not provide hotfixes on versions of the platform prior to 7.3. Please upgrade your Pega solution as soon as possible. There is no local change available. Please work with your network teams to assess exposure.
If you are a Pega Cloud® client, your Pega Cloud environments, running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases, which are being created for each of your environments, will provide the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Service Request (SR) cases are being created and will provide the relevant hotfixes for you to apply to your PCFG environments.
If you are an on–premises or client managed cloud client, please review the table below to determine which hotfixes correspond to your Pega installation.
Once you have determined the appropriate hotfix IDs, download your hotfix directly from My Security Hotfixes on My Pega. This new facility enables self-service access to security hotfixes without the need to raise a support ticket.
Note: for versions 7.3 and 7.3.1, you will still need to submit hotfix requests using My Support Portal.
As always, be sure you have appropriate backups in place before applying the hotfixes.
Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on Dec. 16, 2024. In order to give all Pega clients time to patch their on-premises systems, we request that clients not discuss this in public forums until after it’s publicly posted.
As always, we recommend our clients review our Security Checklist regularly.
Issue Details
Issue Details |
Issue: Improper Privilege Management |
Software/Product |
Pega Platform |
Affected Version(s) |
From 6.x to 24.1.0 |
CVSS Rating |
9.6 |
Description |
Improper Privilege Management |
Hotfixes
A Hotfix exists, as noted above, for versions 7.3 and higher. We will not provide hotfixes on versions of the platform prior to 7.3, for which we recommend a platform upgrade as soon as possible. Steps are not available as part of a local change.
A restart will be needed for the hotfix changes to apply.
As a best practice, update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
Version |
Hotfix |
Hotfix Available from |
7.3 |
HFIX-B1065 |
Raise a ticket in My Support portal |
7.3.1 |
HFIX-B1064 |
|
7.4 |
HFIX-B1063 |
Download directly from My Security Hotfixes |
8.1.0 |
HFIX-B453 |
|
8.1.1 |
HFIX-B452 |
|
8.1.2 |
HFIX-B451 |
|
8.1.3 |
HFIX-B450 |
|
8.1.4 |
HFIX-B449 |
|
8.1.5 |
HFIX-B448 |
|
8.1.6 |
HFIX-B447 |
|
8.1.7 |
HFIX-B446 |
|
8.1.8 |
HFIX-B445 |
|
8.1.9 |
HFIX-B444 |
|
8.2.1 |
HFIX-B443 |
|
8.2.2 |
HFIX-B442 |
|
8.2.3 |
HFIX-B441 |
|
8.2.4 |
HFIX-B440 |
|
8.2.5 |
HFIX-B439 |
|
8.2.6 |
HFIX-B438 |
|
8.2.7 |
HFIX-B437 |
|
8.2.8 |
HFIX-B436 |
|
8.3.0 |
HFIX-B435 |
|
8.3.1 |
HFIX-B434 |
|
8.3.2 |
HFIX-B433 |
|
8.3.3 |
HFIX-B432 |
|
8.3.4 |
HFIX-B431 |
|
8.3.5 |
HFIX-B430 |
|
8.3.6 |
HFIX-B429 |
|
8.4.0 |
HFIX-B428 |
|
8.4.1 |
HFIX-B427 |
|
8.4.2 |
HFIX-B426 |
|
8.4.3 |
HFIX-B425 |
|
8.4.4 |
HFIX-B424 |
|
8.4.5 |
HFIX-B423 |
|
8.4.6 |
HFIX-B422 |
|
8.5.1 |
HFIX-B421 |
|
8.5.2 |
HFIX-B420 |
|
8.5.3 |
HFIX-B419 |
|
8.5.4 |
HFIX-B418 |
|
8.5.5 |
HFIX-B417 |
|
8.5.6 |
HFIX-B416 |
|
8.6.0 |
HFIX-B415 |
|
8.6.1 |
HFIX-B414 |
|
8.6.2 |
HFIX-B413 |
|
8.6.3 |
HFIX-B412 |
|
8.6.4 |
HFIX-B411 |
|
8.6.5 |
HFIX-B410 |
|
8.6.6 |
HFIX-B409 |
|
8.7.0 |
HFIX-B408 |
|
8.7.1 |
HFIX-B407 |
|
8.7.2 |
HFIX-B406 |
|
8.7.3 |
HFIX-B405 |
|
8.7.4 |
HFIX-B404 |
|
8.7.5 |
HFIX-B403 |
|
8.7.6 |
HFIX-B402 |
|
8.8.0 |
HFIX-B401 |
|
8.8.1 |
HFIX-B400 |
|
8.8.2 |
HFIX-B399 |
|
8.8.3 |
HFIX-B398 |
|
8.8.4 |
HFIX-B397 |
|
23.1.0 |
HFIX-B396 |
|
23.1.1 |
HFIX-B395 |
|
23.1.2 |
HFIX-B1506 |
|
24.1.0 |
HFIX-B928 |
Clients please refer to your client advisory (dated 17th September 2024) for further details.
Important notice for 8.8.5 and patch release:
The 8.8.5 patch releases shipped with the pyUserIdentifier property as read-only. However, if you need to use the DSS setting described above, hotfix must be installed. This is only applicable for 8.8.5.
Version |
Hotfix |
8.8.5 |
HFIX-B1505 |
Mitigations for systems prior to 7.3:
For clients running Pega Platform 6.x and 7.x systems, Pega strongly recommends clients on prior versions to upgrade/update to the latest patch versions to take advantage of the latest features, capabilities, and security and bug fixes as described here: https://docs.pega.com/bundle/keeping-current/page/keeping-current/kc/keeping-current-with-pega.html.