.NET Framework agent release notes

Release date: October 6, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Fixed an escalation of privilege vulnerability in the agent's auto-upgrade feature by moving the .NET Framework agent to use the Agent Upgrade Service. The new Agent Upgrade Service does not suffer from this same vulnerability.

Important notes:

  • The .NET Framework agent now includes a separate Agent Upgrade Service that can be used to keep the .NET Framework and .NET Core agents up to date. Auto-upgrade has been removed from the agent itself. The Agent Upgrade Service downloads the latest .NET framework agent from the configured NuGet repository. The Agent Upgrade Service has a configuration file for each installed agent to control the behavior of upgrading each agent.

  • The next version of the .NET Framework agent will move to semantic versioning, starting with version 50.0.0.

Release date: September 22, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved detection of database connections of an unknown type (i.e., not SQL, ODBC, OleDB, MySQL, ...).

Important notes:

  • The Contrast .NET Framework agent will switch to use semantic versioning in a future version. Semantic versioning will start with version 50.0.0 in order to maintain the agent's auto-upgrade capability and clearly differentiate the future release from the current calendar-based versioning scheme.

Release date: September 1, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Further reduced the amount of memory used by the agent's profiler component.

  • Reduced agent's overhead on each request.

Release date: August 16, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • The agent will no longer report weak hash algorithm used by the Azure Storage client SDK.

Release date: July 22, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Tray now provides a link to the data directory specified at install time.

  • Further reduced memory usage of the agent's profiler component.

Release date: July 12, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Reduced the amount of memory used by the agent's profiler component.

Bug fixes:

  • Agent did not respect URL-based exclusions for Assess response-based rules. (DOTNET-3161)

  • Agent could fail to initialize when it failed to inspect the main module of the current process. (DOTNET-3162)

Release date: June 30, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Protect will no longer report semantic SQL findings on queries constructed safely using EF 6.

  • Profiler will now log all profiler settings, not just settings from the YAML file.

  • Profiler will no longer instrument diagnostics/powershell/powershell core.

  • Improved Assess coverage of APIs that return task.

Release date: June 22, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Protect will no longer report semantic SQL chaining on queries constructed safely using LINQ 2 SQL.

  • Protect will no longer report use of dangerous functions on queries constructed safely using Entity Framework.

Bug fixes:

  • Assess will no longer report untrusted deserialization against JsonNET JsonSerializerProxy. (DOTNET-3031)

  • Protect will no longer report untrusted deserialization within System.Web.Services.Protocols.SoapHttpClientProtocol..ctor().(DOTNET-3042)

Release date: June 14, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Protect false negative against model-binding inputs in ASP.NET MVC applications when Assess was disabled. (DOTNET-3026)

  • Protect false negative against post parameter inputs in ASP.NET Web Forms applications when Assess was disabled. (DOTNET-3036)

  • Assess false positive when using JsonSerializerProxy with Json.NET deserialization (DOTNET-3031)

Release date: June 10, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Protect semantic SQL Injection chaining will no longer report on safe queries generated by Entity Framework.

Bug fixes:

  • Agent did not send sessionId when reporting routes. (DOTNET-3021)

Release date: June 2, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved performance of calling into Contrast code from instrumented methods.

Release date: May 25, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • The agent would report a different route for discovery and observation of some ASPX pages with an inline class. (DOTNET-2928)

  • The agent would report untrusted deserialization when BinaryFormatter was used to copy an object with a string property set to untrusted data. (DOTNET-2905)

Release date: May 13, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Expanded Assess sql-injection coverage of NHibernate.

Release date: May 12, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • When instrumenting an application targeting .NET 4.0 through .NET 4.6.2, the agent will now report to Contrast via a separate application domain in order to support communication with Contrast over TLS 1.2.

  • Reduced memory used by agent to capture stack traces.

  • Improve performance of capturing repeated stack traces under Protect.

Bug fixes:

  • Agent could cause intermittent application crashes due to storing a reference to the ASP.NET HttpApplication and calling Dispose multiple times. (DOTNET-2902)

Release date: May 5, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Diagnostics check-process will now inspect logs in the logs directory specified by environment variable (if set).

  • Agent will now report agent errors to telemetry.

  • Agent now recognizes the HTML sanitization APIs from the AntiXSS library (previously the agent recognized the encoding methods primarily).

  • Agent now recognizes Path.GetFileName as a sanitizer for path-traversal.

  • Agent will no longer attempt to auto-upgrade if there is another install in progress on the server.

Bug fixes:

  • Agent could fail to identify Assess sources when inspecting a model bound object that mixed JObject type within a POCO type. (DOTNET-2810)

  • Library reporting could fail on obfuscated assemblies. (DOTNET-2846)

  • Agent reported sql-injection within the SQL query generation of Oracle.DataAccess assembly. (DOTNET-2842)

Release date: April 19, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved logging when both CLR and CoreCLR are in the same process.

  • Added telemetry for installer failures.

  • Improved instrumentation performance under CLR Instrumentation Engine (CIE).

  • Implemented Assess NoSQL Injection rule.

Bug fixes:

  • Fixed an error in parsing certain SQL queries in Protect semantic SQL rules. (DOTNET-2807)

Release date: April 13, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Agent initialization will now log the final resolved value for assess.enable and protect.enable.

  • Improved agent performance when using the Common Instrumentation Engine (CIE).

Bug fixes:

  • .NET Framework agent hangs on async tasks. (SUP-2667)

  • In some cases, the agent could report data from the same application for two servers with slightly different paths. (SUP-2700)

Release date: March 25, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved route discovery for Model View Controller (MVC).

  • Improved startup performance by removing XML serialization during startup.

Release date: March 15, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Fixed an Untrusted Deserialization false positive condition when running as OWIN self-hosted. (SUP-2613, SUP-2468)

  • Fixed the agent using excessive memory when registering routes with JSON.net. (SUP-2624)

Release date: March 10, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • The agent’s profiler component will no longer keep its log file locked after deciding not to instrument a process.

  • Improved accuracy for async APIs under Assess.

  • Added support for server.path configuration.

  • The agent will now report the host of Web Service components.

  • The agent's background service (DotNetAgentService.exe) will now run under its own virtual service account.

  • The agent will now identify database components for applications using the Oracle database driver.

Release date: March 4, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • When attempting to upgrade the agent, the uninstall fails and rolls back creating a loop. (DOTNET-2685)

Release date: March 2, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved agent performance.

  • Improved Assess data propagation on async methods.

  • Improved Assess detection of unsafe cryptographic algorithms.

  • The agent will now report the verb and URL template for discovered routes for Web API, WCF, and ASMX applications.

Bug fixes:

  • Agent does not handle valid tls_versions configuration: tls|tls11|tls12 (DOTNET-2551)

Release date: March 1, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

Bug fixes:

  • Protect semantic SQL injection rules cannot be disabled individually. (SUP-2325)

Release date: February 23, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

Bug fixes:

  • URL exclusions are not respected by Protect semantic SQL injection rules. (SUP-2325)

Release date: February 10, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved application archiving capabilities. Once an application is archived in the Contrast web interface, the .NET Framework agent will be disabled without needing an IIS restart.

  • When auto-update is enabled, the installer will be placed in a secure directory and executed with elevated permissions.

Bug fixes:

  • False positive reported for path traversal when MVC internal code is used. (SUP-2403)

  • Different signatures for the same dataflow reports duplicate routes. (SUP-2345)

  • False positive reported when using XMLSerializer. (SUP-2361)

Release date: February 2, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Important note:

  • All agent configuration settings referring to the terms blacklist and whitelist have been changed to denylist and allowlist, respectively. For example, agent.dotnet.app_pool_whitelist is now agent.dotnet.app_pool_allowlist. The agent will continue to respect the old configuration names until August 2nd, 2022.

New and improved:

  • Added greater flexibility in how the agent can be configured. Applications within an application pool can be configured individually via their web.config or a contrast_security.yaml file in the root directory. There is an order of precedence where properties set for an application override those set at the server.

  • The .NET Contrast tray will now display the application name used by IIS until the application has been loaded. Any application name customizations will be reflected in the tray once the application has been loaded by IIS.

  • The agent's Windows service will now start, even if it is unable to communicate with Contrast.

  • The agent installer now has an option, enabled by default, to restrict access to the installed contrast_security.yaml file. The option can be disabled if needed at install time.

  • Protect will now mask sensitive data in the attack vector if enabled in the Contrast web interface.

Bug fixes:

  • Protect path traveral in monitoring mode will now report a path-traversal probe when an attack goes through a "path resolution API" such as Path.GetFullPath. (SUP-2190)

Release date: January 19, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Temporarily brought back legacy web.config settings.

Release date: January 13, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • The .NET Framework auto-update feature will now verify that downloaded updates have a valid signature and are signed by Contrast.

Bug fixes:

  • When auto-update is enabled, the .NET agent doesn’t verify the signature of the newly downloaded installer.

  • When running with New Relic, the .NET agent runs into exceptions. (SUP-2318)

Release date: January 11, 2021

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Added checkpoints to ensure semantic SQL rules are not reported by the agent when the rule is disabled in the Contrast web interface.

  • Removed the agent.dotnet.enable_runtimeid_callbackhandler configuration setting.

Bug fixes:

  • Session-based auto-verification policies didn’t change vulnerability status in version 20.11.2. (SUP-2365)

  • Applications excluded from the allowlist continue to show on the agent’s tray. (SUP-1551)

  • Windows 10 machines running in German cause the .NET Framework agent installer for Windows to crash. (SUP-2279)

  • Fixed a path traversal false positive when running with MVC. (SUP-2265)

Release date: December 21, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Protect Semantic SQL Injection rules do not respect URL exclusions. (SUP-2325)

Release date: December 10, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Installer launches .NET Contrast tray with elevated user permissions. (DOTNET-2279)

Release date: December 1, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • .NET Framework agent has a problem on startup when an application specified a custom NLog configuration file. (SUP-2220)

Release date: November 16, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • The agent now reports names of classes used as part of enhanced library usage.

Bug fixes:

  • The agent was reporting misleading route observation predictions upon route discovery. (DOTNET-2227)

  • The agent fails to start when Contrast provided a syslog configuration with messages at "INFO" level. (DOTNET-2310)

  • Agent reported path traversal within the FriendlyUrls library's routing logic. (DOTNET-2311)

Release date: October 29, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Added support for route coverage of Web Site Projects (WSP).

  • Deprecated and removed CONTRAST__AGENT__DOTNET__CONTAINER. The configuration flag has no effect. All environments that required it, no longer require the flag to function.

  • Reduced the size of the Azure App Service Site Extension by removing diagnostics from the download. Diagnostics is still available for other deployment types.

  • XXE will now correctly be detected when running under OWIN in .NET Framework quirks mode.

Bug fixes:

  • Agent sensors logged a NullReferenceException when evaluating some instrumented methods for Assess XXE under OWIN-hosted applications. The null reference has been fixed. (DOTNET-2261)

  • The agent's background Windows service had to be restarted when Contrast configuration settings in web.config were changed. This issue has been fixed so that changes in web.config will automatically be detected and applied. (DOTNET-2254)

  • There was a race condition for IIS detection where the Contrast tray's IIS tab would sometimes not be displayed. This issue has been fixed. (DOTNET-2251)

Release date: October 20, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Fixed PathToYaml installer option to support relative paths.

Bug fixes:

  • Found memory leak in correlation tasks. (SUP-2065)

Release date: October 8, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • File Analysis rules now report relative path for files.

Bug fixes:

  • Service crashes under .NET Framework 4.7.1 for users in 20.9.3. (DOTNET-2192)

  • SystemWeb OWIN Web API instrumentation results in duplicate events in response stream. (SUP-1917)

Release date: September 30, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Improved accuracy by supporting Uri.Escape URL-encoding methods.

  • Agent can now discover WebForms Routes in pre-compiled applications.

Release date: September 17, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

New and improved:

  • Made the .NET Framework Contrast tray window resizable.

  • Improved ASMX route detection and handling of sources from deserialization.

Release date: September 3, 2020

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Telemetry is now enabled in the .NET Core agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected. New and improved:

  • Telemetry is now enabled in the .NET Framework agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

  • Azure Service Fabric is supported as a deployment type for the .NET Framework agent.

  • Cleaned up text in the Contrast tray.

Bug fixes:

  • .NET service restart causes IIS workers to fail to start. (SUP-1818)

  • There is a null reference in FileAnalysisEngine.FindVulnerabilities parameter.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Tray crashes on startup. (SUP-1891)

  • Agent fails to startup properly when application is archived. (SUP-1849)

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Bug fixes:

  • Virtual patches for QueryString parameters do not work if the values contain structured data. (SUP-1763)

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.6, 20.7.2, 20.7.3, 20.7.4

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Important notes:

  • The agent’s file analysis rules now execute within the context of the agent’s sensors component. These rules will now execute in Azure App Service and Docker deployments. Previously these rules only executed in the agent’s background Windows service component.

Bug fixes:

  • When a third-party profiler would be chained with Contrast, that profiler could instrument some internal Contrast methods which lead to some instability. This issue has been fixed now.

  • The agent could fail to properly observe some Web API 2 routes. This issue has been fixed now.

  • When an OWIN-based application was deployed to Azure App Service, the agent would cause an application error. This issue has been fixed.

  • When the agent’s background Windows service was shutting down it could sometimes harmlessly crash. This issue has been fixed.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.1, 20.6.3, 20.6.4

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • Added support for OWIN based-hosting and self-hosted Web API applications outside of IIS.

  • The agent will now clean up old logs in Azure App Service and Docker-based deployments.

  • Improved logging and reliability around the agent’s auto-upgrade process.

  • Improved performance of Protect XSS.

  • Added support for route-based coverage of WCF services using Unity interception.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When the agent’s service would restart IIS with Contrast sensors on an overloaded server, the service could start receiving messages from those sensors before it was ready to handle them which lead to the sensors failing to initialize. This issue has been fixed now.

  • When a user would set up profiler chaining with AppDynamics in an Azure App Service environment, the AppDynamics profiler would fail to load. This has now been fixed.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.5.1

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

Important notes:

  • Beginning with this release, the minimum supported operating system is Windows Server 2012 and the minimum .NET Framework version is .NET 4.7.1.

  • The legacy .NET Framework agent maintains support for Windows Server 2008 and older .NET Framework versions. The legacy agent has all of the current features of the .NET Framework agent and receives critical bug fixes but otherwise will not be further developed.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, it was rejected due to missing information. The agent now sends all expected information for this vulnerability.

Language versions currently supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.4.1, 20.4.2, 20.4.3

New and improved:

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example, invalid yaml).

Important notes:

  • The agent’s auto-update feature will no longer update the agent when running on Windows Server 2008 or servers with .NET Framework 4.7.0 or older. This change is in preparation for the upcoming fork of the Contrast .NET Framework agent. See below for more details.

  • The next release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Bug fixes:

  • When an application hosted on IIS was (mis)configured without a virtual path, the agent’s background Windows service would crash. The agent’s background Windows service now properly handles this configuration.

  • A race condition around requests for configuration values that did not have default values could lead to a crash of the agent’s background Windows service. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.