Pega continually works to implement security controls designed to protect client environments.  With this focus, Pega has issued patch releases for one medium security vulnerability in Pega Platform.  This issue can only be exploited by users with Pega Developer access.  We would like to thank Louis Sohier of ENGIE IT Offensive Cybersecurity Team for finding this vulnerability. 

We are not aware of any of our clients being compromised as a result of this vulnerability. 

The remediation for this issue will be included as part of the product in the Pega Platform patch releases listed above. In addition, hotfixes are provided for Pega Platform 24.1.3 and 24.2.2 releases only.

As always, we recommend our clients review our Security Checklist regularly.  

As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, security, and bug fixes.  See Keeping Current With Pega for more information. 

Dates for upcoming patch releases can be found here:  Pega Infinity Patch Calendar  

Remediations

• For Pega platform releases 23.1.5 or 25.1.0, your release has already been corrected. No further action is required.
• The Calendar creation issue affected Pega Platform releases 24.1.3 and 24.2.2. To address this issue, the following remediations are available:
  • 24.1.3: Apply hotfix HFIX-C2685 or update to 24.1.4 Patch Release 
  • 24.2.2: Apply hotfix HFIX-C2684 or update to 24.2.3 Patch Release 
• Later Pega platform releases such as 24.1.4 include the fix for the Calendar creation issue.

CVE Details 

If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.