2021 Security Bulletin
Microsoft recently reported that Nobelium, the threat actor behind the SolarWinds compromise in December 2020, is again actively trying to access corporate technology supply chains. Pega's security team continuously monitors its corporate and Pega Cloud infrastructure, and, to date, we have not detected any unusual activity indicating a Nobelium-related compromise. In addition, our suppliers have not advised us of any related compromises. We will continue to engage third parties to assess and enhance our security infrastructure through penetration testing, purple team exercises, and adversary hunts.
Cloud SSL Cipher Suite Changes
Changes in supported TLS protocols and ciphers suites take effect as a result of any environment infrastructure update that takes place after September 2021. To learn more about these changes and the TLS encryption settings that are supported, see Data-in-transit encryption in Pega Cloud article and link.
2020 Security Bulletin
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.