SR-D75097 · Issue 539515
Improved handling against formula injection attacks in Export to ExcelJJ
Resolved in Pega Version 8.3.3
Every time a possibly vulnerable cell value was found during Export to Excel, the value on that cell was modified to prevent a formula injection attack. If the value was non numeric, it would still render an apostrophe, although it should be hidden. Previous work on this issue involved the addition of a DSS which allowed this security to be disabled if the Excel was going to be consumed by an external tool, but the security implementation used to protect against calculation injection has reworked the ExcelSecurity utility function to allow the ability to change the cell style of a cell that is potentially vulnerable to formula injection attacks. This change no longer changes the cell value but instead applies a new cell style that has quotePrefix enabled.
SR-D83060 · Issue 547918
Repaired History class report column sorting
Resolved in Pega Version 8.3.3
Attempting to sort any of the columns in a report using the History class did not render the results and the error "Cannot render the section" appeared. Tracer showed a Fail status for some out-of-the-box activities with the message "java.lang.StringIndexOutOfBoundsException". Investigation showed the logic in pzMergeAutoGenForProp activity was failing because the pyIsFunction property was not set on the UIField pages for function columns. To resolve this, the logic for pzMergeAutoGenForProp has been modified to get pyIsFunction from the field name.
SR-D83373 · Issue 545750
Stage Label name displayed in chart
Resolved in Pega Version 8.3.3
When pyCaseStatusControl was used, the cases label was displayed as $label instead of the Case Name. This was related to the version of Fusion Charts included, and has been resolved for this release by modifying library code in fusioncharts.js to fix the issue in datasetrollover listener code. Fusion Charts will be upgraded in v8.5 for a more complete solution to this issue.
SR-D79796 · Issue 544947
Updates made for deprecated Fusion chart styles
Resolved in Pega Version 8.3.3
Trying to change the background colors or font sizes for the values on the x-axis and y-axis in a report was not working. This was traced to Fusion deprecating the use of `<styles>` definitions with the introduction of JavaScript charts, and has been resolved by updating the code to compensate for this change.
SR-D86864 · Issue 548092
Very long auto-generated index trimmed for use in Report Browser
Resolved in Pega Version 8.3.3
The creation of a new report via the user report browser failed if there was an index with a long name (over 30 characters). The out-of-the-box method automatically generated the prefix, but the Report editor could not handle the very long declare index name and as a result did not consider properties from the embedded pages. To resolve this, pzUpdateAssociation and pzInsertNewReportColumn have been updated to trim the prefix for the declare index to 30 characters and allow for adding a new column to the report. This work does not cover adding a new filter to the report, as that fix would require substantial changes to reporting logic.
SR-D86011 · Issue 548152
Browser fingerprint validation issue resolved
Resolved in Pega Version 8.3.3
After upgrade, Pega logoff was happening automatically within five minutes while using Microsoft Internet Explorer. This was traced to the COSMOS-based portal in Microsoft Internet Explorer 11 generating different hashes for different parts of the screen, causing a "Browser fingerprint validation failed" error because of the pzBFP token mismatch. To resolve this, an update has been made to exclude the graphic components for calculation of browserfingerprint.
SR-D96395 · Issue 555117
CDK key loading modified for better database compatibility
Resolved in Pega Version 8.3.3
Users were unable to log on to the system and received the error "There has been an issue; please consult your system administrator." Investigation showed the log errors stating "(dataencryption.DataKeyProvider) ERROR localhost - Could not get CDK from systemKeyManagementCache - System CDK is null". This was an issue specific to the MS SQL Server database when there were 6 or more CDKs in the database: CDK keys are loaded from database into Cache using an SQL statement which had the ORDER clause. By default, the ORDER clause treats NULL values differently on different databases, and this caused MS SQL databases to not load a necessary CDK key. To resolve this, the SQL query has been modified so the result will be the same for all supported daatbases (Oracle, Postgres & MS SQL Server).
SR-D79181 · Issue 551123
OKTA receives parameters on logout
Resolved in Pega Version 8.3.3
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D75498 · Issue 545068
Resolved null-pointer exception for Token based Authenticated Rest
Resolved in Pega Version 8.3.3
When logging in with auth0 OIDC auth service and then trying to use connect-Rest with an authentication profile using an auth0 provider, a null pointer error was generated indicating connect-Rest could not find the Access token. Even thought the Authentication service (OIDC) and authentication profile (authorization grant) both had the same scopes (“openid profile email”), OIDC flow and authentication profile save the Access Token with different scopes. Specifically, OIDC saves the token with an extra trailing space. Handling has been added to correct this.