SR-D55449 · Issue 523501
Cross-site scripting protection added to layout runtime java and whitelist validation available for host/XFHost
Resolved in Pega Version 8.3.2
In order to protect against Cross-site scripting issues, filtering has been added to the RepeatDynamicIndex parameter value in layout runtime java. In addition, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D55508 · Issue 521859
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.3.2
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56063 · Issue 522857
Hazelcast upgraded to resolve node startup issue
Resolved in Pega Version 8.3.2
Post data upgrade, the ADM tier failed to start and the error "java.lang.IllegalStateException: Node failed to start!" appeared. This was traced to a dormant bug in Hazelcast 3.11 that caused starting nodes to fail when the Hazelcast master node was shutting down, which was exposed by recent Pega changes made to enable parallel restarts of nodes in Cloud environments. Hazelcast delivered a fix for the parallel restart problem and the hotfixed jar has been merged into the platform. In addition, previous logic for loading Admin Studio waited 30 seconds before timing out when fetching information for each node. This caused issues with large clusters and Admin Studio not loading. The logic has been updated in the Admin Studio UI to load the page despite delays/issues waiting for nodes to respond to the gathering of cluster data, and the algorithm to detect remote-call timeout has been updated and is applicable to batch operation.
SR-D56409 · Issue 520742
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.3.2
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D56527 · Issue 538301
DSS PegaAESREmote*ResetTableStats set to false
Resolved in Pega Version 8.3.2
In order to prevent an issue with resetting table stats that potentially impacts postgres in an unintended fashion, the DSS PegaAESREmote*ResetTableStats has been set to false.
SR-D57038 · Issue 519379
JobScheduler DST handling updated
Resolved in Pega Version 8.3.2
When the locale being used changed out of Daylight Savings Time, scheduled jobs did run at the same local time as before but instead ran an hour earlier than expected. Investigation showed that jobscheduler calculated the next runtime based on the time difference from the cluster reference time and current time in milliseconds, and this offset in milliseconds was added to next run time. Since the cluster was started in DST, the job was running on same time due to the time difference. To resolve this, the system will use a calculation offset and set hours/minutes to nextRunTime object so that calendar lib handles daylight savings.
SR-D57444 · Issue 519166
Scripts provided to remove unneeded TenantID for Cloud upgrade
Resolved in Pega Version 8.3.2
Cloud upgrade from 8.3 to 8.3.1 was failing in a multi-tenant environment during creation of the Data-MigrationPoint instance. This was traced to pzTenantId not being included in the insert statement when the table included the pzTenantId column. As the column is unnecessary and was only included in the table for completeness, scripts have been provided to remove the pzTenantId column from the table for 8.3.0 and 8.3.1 MT deployments and remove pzTenantId from table in pegarules-master.xml to resolve this issue.
SR-D58702 · Issue 519241
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D58927 · Issue 522288
Added expiration for orphaned tracers
Resolved in Pega Version 8.3.2
After tracing a REST service, the tracer was persisting but not showing in the requestor list from Admin studio. The operator shown in the error did not have access to the system anymore, and other users were not able to trace the service rule. Trying to clear the requestors in all the nodes using API POST /nodes/{nodeID}/pools/requestor/clear also did not resolve the issue. To address this, a distributed rule watch expiration has been added.
SR-D59262 · Issue 523615
Cleanup added for staging directory
Resolved in Pega Version 8.3.2
Temporary files from imports and exports (from DevOps) were filling up the staging area disk space because there was no automatic process for cleaning up these local files. This has been resolved by adding an enhancement that will clear the directory on Engine Startup and any time ParUtils.setStagingDirectory gets called to initialize the staging directory.