SR-B85132 · Issue 334749
SAML enhancements added with OperatorContext availability fix
Resolved in Pega Version 7.4
The activity pyEstablishOperatorContext availability was incorrectly marked as final. This has been fixed and is "Available, Extension". In addition, many other enhancements have been added towards the goal of no-code configuration of SAML SSO authentication. SAML SSO is the most widely used authentication in production, but has historically required complex custom code. Please see the release notes for more information about Single Page UI Configuration and Adaptive Design for Authentication Run-time.
SR-B86311 · Issue 336269
Enhanced security by masking requestor-ID
Resolved in Pega Version 7.4
In order to improve session security against potential hijacking of a session, the Pega-RULES cookie will be masked in various locations, such as log files, SMA, tracer, exceptions, etc. by exposing only the first character (as it depicts the type of requestor) and the last four characters.
SR-B86311 · Issue 338968
Enhanced security by masking requestor-ID
Resolved in Pega Version 7.4
In order to improve session security against potential hijacking of a session, the Pega-RULES cookie will be masked in various locations, such as log files, SMA, tracer, exceptions, etc. by exposing only the first character (as it depicts the type of requestor) and the last four characters.
SR-B86311 · Issue 340639
Enhanced security by masking requestor-ID
Resolved in Pega Version 7.4
In order to improve session security against potential hijacking of a session, the Pega-RULES cookie will be masked in various locations, such as log files, SMA, tracer, exceptions, etc. by exposing only the first character (as it depicts the type of requestor) and the last four characters.
SR-B86311 · Issue 341403
Enhanced security by masking requestor-ID
Resolved in Pega Version 7.4
In order to improve session security against potential hijacking of a session, the Pega-RULES cookie will be masked in various locations, such as log files, SMA, tracer, exceptions, etc. by exposing only the first character (as it depicts the type of requestor) and the last four characters.
SR-B88923 · Issue 337768
Utility added to check for operators using default passwords
Resolved in Pega Version 7.4
To enhance security and ease of administration, a utility has been added that can disable default operators that ship with Pega Platform and Strategic Apps if the password hasn't been changed. This utility can be called as a service by PegaCloud. Please see the release notes for more information.
SR-B89114 · Issue 339165
XSS filtering added to ImportSpecExcel
Resolved in Pega Version 7.4
The control 'pzImportSpecExcel' has been modified to secure the property pyImportFileName with XSS filtering.
SR-B91752 · Issue 340794
TrackSecurityChanges passes correct values for page groups
Resolved in Pega Version 7.4
The pzTrackSecurityChanges Utility is called from the TracKSecurityChangesLogic activity whenever the value changes for an audited property. For this function, current value and previous value are passed from the clipboard. However, in cases of page groups, the parent property was being passed instead of the current and previous values. This has been fixed.
SR-B93715 · Issue 344806
Apache Groovy updated
Resolved in Pega Version 7.4
Apache Groovy has been updated to 2.4.4 for improved security.
SR-B93934 · Issue 340753
Sensitive handling added for validation of encrypted SOAP
Resolved in Pega Version 7.4
The WSS4J library was not calculating the processing actions validation on encrypted SOAP messages correctly after the message's security requirements were already processed by the library. This means that the verification of signature or decryption or any other actions worked and the necessary security processors were engaged correctly, however the check was failing during the last leg of the processing actions validation. Since the action matching is of less significance, the validation for actions will be relaxed in situations where the ws-security config is signature and encryption and/or timestamp.