Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has issued patch releases/hotfixes for 1 medium security vulnerability in Pega Platform:
|
Advisory |
Description |
Impact |
|---|---|---|
|
F23 |
Mashup rendering issue |
An issue was identified with Mashup rendering whereby the URL being processed was truncated and defaulted to the access group portal which may provide more data than intended if the default portal access is not properly configured for anonymous authentication.
Pega is recommending that all clients install the hotfix to ensure that this issue is addressed in their systems and has marked the hotfix as critical accordingly. |
|
|
|
We are aware of 1 client being affected as a result of this issue. Out of an abundance of caution, we are taking the extraordinary step of issuing hotfixes for all versions affected.
The versions affected are listed below and the remediation for this issue is in the 8.8.2 product patch and higher releases. Hotfixes are available for the affected versions as listed below.
If you are a Pega Cloud client, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. Cloud Maintenance [ CM ] cases are being created for each of your environments which provides the schedule of when the hotfixes will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, Service Request [ SR ] cases are being created which will provide the relevant hotfixes for you to apply to your PCFG environments.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit hotfix requests using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfixes.
As always, we recommend our clients review our Security Checklist regularly.
|
Details |
Issue: Mashup Rendering Issue |
|---|---|
|
Software/Product |
Pega Platform |
|
Affected Version(s) |
8.5.6 From 8.6.4 to 8.6.6 From 8.7.4 to 8.7.5 From 8.8.0 to 8.8.1 |
|
CVSS Rating |
6.5 (Medium) |
|
Description |
Mashup Rendering Issue |
Hotfixes:
Hotfixes have been created for the affected patch releases. No restart is needed after installation.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
Mashup |
|---|---|
|
8.5.6 |
HFIX-A953 |
|
8.6.4 |
HFIX-A954 |
|
8.6.5 |
HFIX-A955 |
|
8.6.6 |
HFIX-A956 |
|
8.7.4 |
HFIX-A957 |
|
8.7.5 |
HFIX-A958 |
|
8.8.0 |
HFIX-A960 |
|
8.8.1 |
HFIX-A926 |
This is also a reminder that if you are using anonymous authentication, or a customized version of anonymous authentication, to validate the default portal assigned to the access group that is used for the authentication to ensure it provides no additional details than intended. For more details on anonymous authentication, please review the following article:
Further information on authentication and anonymous authentication for mashups, please refer to the following articles:
https://docs.pega.com/bundle/platform/page/platform/user-experience/authentication-mashups.html