Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale.
This issue allows authenticated users (including anonymous users) to escalate privileges and affects Pega Platform versions 8.5 and above. See Configuring an application to use an anonymous authentication service to learn more about anonymous users.
We are not aware of any of our clients being compromised as a result of this vulnerability.
To resolve this issue, Pega has created H22 remediations for the latest patch releases for version 8.5.6 and above. It is very important to keep your Pega systems current on the latest patch releases.
This remediation relies on the proper configuration of the Pega Platform Basic Access Control (BAC) feature. Steps to guide you through the configuration of the Pega Platform BAC feature are detailed in your Client Advisory, [CAD-] case, in My Support Portal.
NOTE: If you use custom activities for ReloadHarness and ReloadSection, you must register these custom activities in a permit list after applying the remediation. See Verifying requests when using custom controls to learn more about registering custom activities and controls.
If you are a Pega Cloud® client, your Pega Cloud environments, running the relevant Pega versions listed in the table below, are proactively remediated by Pega. CM cases are created for each of your environments, which provide the schedule of when the remediation will be applied.
If you are a United States Pega Cloud for Government (PCFG) client, SR cases are being created which will provide the relevant remediation for you to apply to your PCFG environments. The Pega Cloud team must then restart your system for the remediation to take effect.
If you are a client-managed cloud or on-premises client, please review the Matrix of H22 remediations by Pega Platform version table below to determine which remediation (patch or hotfix) corresponds to your Pegasystems installation. Once you have determined the appropriate remediation, please follow the instructions below:
- For a Patch: please request the latest patch via MyPega.
- For a Hotfix: please submit hotfix requests using My Support Portal. As always, be sure you have appropriate backups in place before applying the hotfixes. Note that a system restart will be required for the hotfixes to take effect.
As always, we recommend our clients review the Pega Platform Security Checklist regularly.
Matrix of H22 remediations by Pega Platform Version
|Version||Hotfix / Patch Release|
|8.5.6||Install 8.5.6 + HFIX-84421|
|8.6.6||Fix is available in Patch Release – Now available|
|*8.7.4||Patch Release – Now available - Install 8.7.4 + HFIX-84702|
|8.8||Update to 8.8.1 Patch Release|
|8.8.1||Fix Available in Patch Release – Now available|
* We issued a hotfix for 8.7.4, rather than asking clients to wait for 8.7.5.
Detailed Hotfix Installation Steps can be found in your Client Advisory, [CAD-] case, in My Support Portal.
H22 and BAC update for Attended RPA (Robotics)
The release of the hotfixes for 8.5.6 (HFIX-84421) and 8.7.4 (HFIX-84702) for the H22 Security Advisory were provided on December 6, 2022. The hotfix was updated on December 8, 2022, to cover additional pre-registration for activities for Attended RPA (Robotics). This only impacts Attended RPA (Robotics) when BAC is enabled and the DSS security/validateReloadParameters is enabled as described in the initial CAD notification.
A limited number of organisations were identified as having downloaded one of these two fixes after initial release, and before the additional registrations were added. These clients were notified via a separate Client Advisory and asked to obtain the latest 8.5.6 (HFIX-84421) or 8.7.4 (HFIX-84702) hotfix to install. Those affected clients did not need to uninstall the prior version of the fix first. They only needed to Install the latest hotfix to add the additional registrations.
This latest hotfix did not alter the DSS setting security/validateReloadParameters. If you explicitly enabled it, it will still be enabled. If you have not enabled it, refer to the CAD notification for steps to enable it.