CVEs & pega platform 7.4

Yoke_Wei · March 21, 2022, 2:03am

Hi, where can I find information if we have solutions for the following CVEs for a client on pega platform 7.4?

CVE-2020-8774 - reflected cross-site scripting

CVE-2020-24353 - cross-site scripting

CVE-2020-11023, CVE-2020-11022 - jquery versions

MarijeSchillern · March 21, 2022, 10:29am

@yipy1 your first port of call would probably be to check the Security Bulletins which you can get to via the Pega Trust Centre

The Pega Documentation also lists Security Advisories.

The forum discussions list notifications regarding version-specific Critical Hotfixes.

You can also check the following link for details on whether or not these would actually have any impact.

Pega 7.4 which is an older version and therefore it is using an earlier version of jquery.

We would urge you to consider upgrading to the latest versions of Pega because of important security and reliability improvements that are delivered with each new release. T

Please find below ‘Pega software maintenance and extended support policy’

Answers to your specific Common Vulnerabilities and Exposures:

CVE-2020-8774
this change can be done only on the environment level as the local change to the prweb.war/diagnostic/error.jsp and status.jsp.

Change:
Before - <%= new Date(System.currentTimeMillis()) %>. <%= sETierVersion %> After - <%= new Date(System.currentTimeMillis()) %>.
Remove the <%= sETierVersion %>

ie please suggest below local-change:

Open prweb.war archive in the distribution media
Navigate to the Diagnostic folder
Open the Status.jsp file
Comment out or remove the code which is responsible to display the engine version: Before - <%= new Date(System.currentTimeMillis()) %>. <%= sETierVersion %> After - <%= new Date(System.currentTimeMillis()) %>.
Save the file or repackage the war file and deploy it to the application server
Restart the nodes

For Pega Cloud deployment:
Please apply this change to the CCB so this change will be in every deployment/restart

CVE-2021-27653

Refer the security B21 advisory. https://collaborate.pega.com/discussion/pega-security-advisory-–-b21

I believe for 7.4 you’ll need to log a support incident requesting

HFIX-81704
HFIX-81706
HFIX-81735
HFIX-50728

CVE-2020-11023 and CVE-2020-11022

As documented in the following articles, you will need to upgrade to 8.5.2 or higher to get the latest JQuery version:

Upgrading JQuery is very complex and would introduce major regression; thus Pega only upgrades JQuery in new releases to address security fixes.

Since you are on a much older 7.4 version, you should look to upgrade to the latest pega platform version to take advantage of the latest security improvements. JQuery cannot be provided as a hotfix.

In 8.6 version the jQuery is updated to 3.5.1, As per this url: Potential XSS vulnerability in jQuery · CVE-2020-11022 · GitHub Advisory Database · GitHub, 3.5.1 is not an affected version for vulnerability in jQuery,

Conversation		Replies	Views
Version of jQuery in Pega Platform version 8.7.3 User Experience user-experience , lead-system-architect , 8-6-3	3	623	October 13, 2022
Vulnerable jqyery General system-administration , 8-5-1	1	92	March 7, 2022
Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions Blueprint and App Design system-architect , enterprise-application-development , healthcare-and-life-sciences , 8-2-8	1	440	June 16, 2022
jquery version used by Pega 7.1.9 version? General team-lead , other-industry , 7-1-9	3	95	July 15, 2022
Jquery and ckeditor library versions in 8.7 User Experience user-experience , security , system-administration , installation-and-deployment , 8-7-3	6	564	October 28, 2022

CVEs & pega platform 7.4

Related topics