URGENT action required
Pega has recently identified a medium severity issue with the Pega Portlet feature.
Java Specification Request 168 and 286 (JSR 168 and JSR 286) describes a Java Application Programming Interface (API) for portlets, the user interface components for display in web portal servers. The Pega Platform supports the development and deployment of JSR-compliant portlet.
The Portlet authentication service is available from Pega Platform 5.x to 8.6.x.
Clients must remove PRPortletService authentication service and PortalServer records.
If PRPortletService and PortalServer records are not available, then no action is required.
This vulnerability requires a configuration change rather than a hotfix, as such no hotfixes will be provided to remediate this issue. Steps to guide you through the configuration change are detailed in your Client Advisory, [CAD-] case, in My Support Portal. Pega recommends you follow the steps provided to secure your systems.
These steps should be applied regardless of your deployment type, that is, Pega Cloud, Pega Cloud for US Govt, Client Managed cloud, or On Premises.
If you are making use of the PRPortletService, please review the Pega Web Mashup details: The rule type Service Portlet has been replaced by Pega Web Mashup (8.8 version). [Pega Web Mashup (8.7 version) is also available].
If further assistance is needed, please raise an INCIDENT (For an issue I’m having) with Global Client Support via My Support Portal.
As always, we recommend our clients review our Security Checklist regularly.