SR-A3011 · Issue 213185
Revised checksum to update imported rules
Resolved in Pega Version 7.2
When exporting updated rules after upgrade, a new rule in Data Transforms, Activities, and When was not being consistently used at runtime until the rule was resaved or the Virtual Rule Table Cache was regenerated. Beginning with Pega 7.1.8, a new property called pxSaveDateTime was added to rules. This new property is used in the checksum calculation to determine if a rule needs to be reassembled. However, when importing rules changed in pre-Pega 7.1.8 environments, the checksum calculation doesn't recognize the rule has changed. A change has been made to use pxUpdateDateTime as an alternative when pxSaveDateTime is not present in the rule.
SR-A2768 · Issue 207926
Security enhancement updates for Apache Struts
Resolved in Pega Version 7.2
Apache Struts 2.0.0 through 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism by predicting the token that is generated to prevent double submits. The system has now been updated to use higher versions to remove this vulnerability: asm-commons (3.3 updated to 5.0.2) xwork-core (2.3.16.3 updated to 2.3.20.1) asm-tree (3.3 updated to 5.0.2) asm (3.3 updated to 5.0.2) commons-lang3 (3.1 updated to 3.2)
SR-A6195 · Issue 213843
Security enhancement updates for Apache Struts
Resolved in Pega Version 7.2
Apache Struts 2.0.0 through 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism by predicting the token that is generated to prevent double submits. The system has now been updated to use higher versions to remove this vulnerability: asm-commons (3.3 updated to 5.0.2) xwork-core (2.3.16.3 updated to 2.3.20.1) asm-tree (3.3 updated to 5.0.2) asm (3.3 updated to 5.0.2) commons-lang3 (3.1 updated to 3.2)
SR-A2768 · Issue 194111
Security enhancement updates for Apache Struts
Resolved in Pega Version 7.2
Apache Struts 2.0.0 through 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism by predicting the token that is generated to prevent double submits. The system has now been updated to use higher versions to remove this vulnerability: asm-commons (3.3 updated to 5.0.2) xwork-core (2.3.16.3 updated to 2.3.20.1) asm-tree (3.3 updated to 5.0.2) asm (3.3 updated to 5.0.2) commons-lang3 (3.1 updated to 3.2)
SR-A7433 · Issue 216781
Updated BIX Manifest pxTotalInsertsCount to handle XML extraction failures
Resolved in Pega Version 7.2
The BIX Manifest pxTotalInsertsCount was incorrect when the extract type was XML and extraction has failed for few work-objects. This was caused by missing decremention, and the code has been updated to ensure the manifest matches the record counts from the ingestion of the XML data.
SR-A4883 · Issue 216593
Updating caching to ensure proper rule resolution
Resolved in Pega Version 7.2
For performance reasons, a Requestor level is used to hold data page definitions. However, two data pages with the same name but in different rulesets caused Rule Resolution to not pick the datapage from correct RS Version consistently. This has been corrected by appending a personal ruleset hash name with data page name before putting the definition in cache.
SR-A4005 · Issue 211179
Check added to pass value instead of parameter name from icon control
Resolved in Pega Version 7.2
After upgrade, an issue was found with passing a property to an activity from the deprecated icon control: instead of the value of the property, the property name itself was passed to the parameter of the DoAction activity. A check has been added to the generateButton RUF to catch property references and populate the property value at run time instead of the property name as a literal value.
SR-A6169 · Issue 204154
Corrected compilation error when using param.value in Repeat Layout label
Resolved in Pega Version 7.2
A compilation issue was encountered when a parameter was used in a repeat section cell due to the paramStrValue being double encoded. This has been resolved by adding a check that will skip the extraneous encoding.
SR-A10502 · Issue 220758
Ill-formed Operator IDS auto-set to Hourly
Resolved in Pega Version 7.2
Operators with an empty license type parameter were being treated as Web based users rather than Hourly usage. This was traced to the PRPC license daemon electing to treat the usage data as Invocation usage data when a User with an ill-formed Operator ID signed into and used PRPC. This was an issue with the problematic ID causing an Empty value check in the licensetype value, and a check has been added to divert ill-formed operator IDs to hourly usage status.
SR-A5299 · Issue 217135
Resolved empty context NPE in parse clipboard activation
Resolved in Pega Version 7.2
A NPE was being generated during thread activation of some parse clipboard pages . This was traced to a wrapper command used to set special java status, and the code has been updated to ensure that the engine context is not empty in these cases.