Pega continually works to implement security controls designed to protect client environments.  With this focus, Pega has issued patch releases for one medium security vulnerability in Pega Platform.  We would like to thank Eric Kahlert from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issue and working with us as we addressed this vulnerability. 

We are not aware of any of our clients being compromised as a result of this vulnerability. 

The remediation for this issue will be included as part of the product in the Pega Platform patch releases listed above. No hotfixes will be provided. 
 
With the remediation, Pega Platform now ships the pyCanGenerateDocumentThumbnail when rule with a value of false by default. This prevents thumbnail generation for Pega Document type attachments.  If you are currently using this functionality, please review your implementation in conjunction with the remediation behavior. 

To provide temporary remediation, clients can set pyCanGenerateDocumentThumbnail to false until the permanent fix is available, at which point they should remove the local change.

As always, we recommend our clients review our Security Checklist regularly.  

Dates for upcoming patch releases can be found here:  Pega Infinity Patch Calendar.

CVE Details

If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.