Headline
CVE-2023-28094: Support Center
Pega platform clients who are using versions 6.1 through 8.8.3 and have upgraded from a version prior to 8.x may be utilizing default credentials.
Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale.
We would like to thank Mohamad Shokor for working with us to help protect our clients regarding Default Operators. Pega issued this Security Advisory to remind clients of our leading practices as found in our installation and security checklist guides.
Issue
Description
Impact
C23
Default Operators
Default Operators have been identified by OWASP as a security threat, as they can be accompanied by known user/password combinations.
Default Operators are shipped as disabled in Pega Infinity 8.X versions and will be removed for new Pega Infinity ‘23 deployments. Clients who have upgraded from a version prior to 8.x may be affected.
The researcher contacted clients who had not changed the passwords of their default operators.
For all clients, guidance is being provided as follows: https://docs.pega.com/bundle/platform-88/page/platform/security/securit….
To prevent unauthorized access with default passwords, change the passwords for all default operators. Disable or delete the operator IDs that you do not plan to use.
Note: The passwords should be changed for disabled operators as well.
It is very important to keep your Pega systems current on the latest patch releases.
For more detailed information, please review your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on April 24, 2023, in My Support Portal.
CVE Details
CVE Details
C23
Software / Product
Pega Platform
Affected Versions
From 6.1 to 8.8.X
CVE ID
CVE-2023-28094
CVSS Rating
8.1
Description
Default Operators
Related news
Pega platform clients who are using versions 6.1 through 7.3.1 may be utilizing default credentials