2023 Security Bulletin
A bad actor with non-admin user access to a client desktop, with Pega Synchronization Engine, could modify configuration files and execute malicious code on the client desktop that could provide them with Administrative access.
2022 Security Bulletin
This issue allows authenticated users (including anonymous users) to escalate privileges and affects Pega Platform versions 8.5 and above. See Configuring an application to use an anonymous authentication service to learn more about anonymous users.
Pega Portlet Authentication issue: Java Specification Request 168 and 286 (JSR 168 and JSR 286) describes a Java Application Programming Interface (API) for portlets, the user interface components for display in web portal servers. The Pega Platform supports the development and deployment of JSR-compliant portlet.
In Pega Platform versions 8.1 and above, for on-premises clients, there is the potential for malicious actors to run Remote Code Execution using the JMX interface on Cassandra and Kafka, in situations where clients leave unneeded network ports exposed.
2021 Security Bulletin
Microsoft recently reported that Nobelium, the threat actor behind the SolarWinds compromise in December 2020, is again actively trying to access corporate technology supply chains. Pega's security team continuously monitors its corporate and Pega Cloud infrastructure, and, to date, we have not detected any unusual activity indicating a Nobelium-related compromise. In addition, our suppliers have not advised us of any related compromises. We will continue to engage third parties to assess and enhance our security infrastructure through penetration testing, purple team exercises, and adversary hunts.
Cloud SSL Cipher Suite Changes
Changes in supported TLS protocols and ciphers suites take effect as a result of any environment infrastructure update that takes place after September 2021. To learn more about these changes and the TLS encryption settings that are supported, see Data-in-transit encryption in Pega Cloud article and link.
2020 Security Bulletin
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.