CVE-2023-28094: Support Center

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale.

We would like to thank Mohamad Shokor for working with us to help protect our clients regarding Default Operators. Pega issued this Security Advisory to remind clients of our leading practices as found in our installation and security checklist guides.

Issue

Description

Impact

C23

Default Operators

Default Operators have been identified by OWASP as a security threat, as they can be accompanied by known user/password combinations.

Default Operators are shipped as disabled in Pega Infinity 8.X versions and will be removed for new Pega Infinity ‘23 deployments. Clients who have upgraded from a version prior to 8.x may be affected.

The researcher contacted clients who had not changed the passwords of their default operators.

For all clients, guidance is being provided as follows: https://docs.pega.com/bundle/platform-88/page/platform/security/securit….

To prevent unauthorized access with default passwords, change the passwords for all default operators. Disable or delete the operator IDs that you do not plan to use.
Note: The passwords should be changed for disabled operators as well.

It is very important to keep your Pega systems current on the latest patch releases.

For more detailed information, please review your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on April 24, 2023, in My Support Portal.

CVE Details

CVE Details

C23

Software / Product

Pega Platform

Affected Versions

From 6.1 to 8.8.X

CVE ID

CVE-2023-28094

CVSS Rating

8.1

Description

Default Operators