Java agent release notes

Release date: June 29, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Adjusted environment variables for telemetry opt-out.

Bug fixes:

  • Netty - onSourceEventDetected throws Unsupported when non-array buffer is used. (JAVA-5215)

  • Grizzly NPE reported by Contrast on Glassfish 4 applications. (JAVA-5172)

  • Denylist Apache CXF CglibProxyHelper. (JAVA-5167)

  • Preload Contrast agent classes for temperamental WebSphere on IBM z/Linux. (JAVA-5085)

  • Needless toString calls on customer domain objects. (JAVA-4790)

Release date: June 9, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Telemetry is now enabled by default.

  • WildFly, JBoss and Tomcat applications are now eagerly identified when the application/server is created.

Bug fixes:

  • Agent stops working when getting a 404 response. (SUP-3560)

  • Agent tries to startup despite failure of classInjection.inject. (JAVA-5152)

  • Insecure hash algorithm findings in Datadog. (SUP-3729)

  • ApplicationClassEventListener is prone to deadlocks. (JAVA-5095)

  • ClassCircularityError found on Jetty 7. (JAVA-5146)

Release date: May 25, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved

  • Improved performance to Elastic APM

Bug fixes:

  • Assess tag functionality is inconsistent across different environments. (SUP-3775)

  • Java agent uses a vulnerable version of jsoup library. (SUP-3789)

  • False positive path traversal: java.base/java.io.File.createTempFile (SUP-3589)

  • Agent fails to transform AWS ScanRequest class. (SUP-3667)

Release date: May 11, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Improved support for multi-app route coverage and discovery on Websphere traditional.

  • You can now use the config property to get the agent version in AgentVersionClassificationTestWatcher.

Bug fixes:

  • The OGNL injection rule can report the same attack as being Probed and either Blocked/Exploited. (SUP-3731)

  • One request yields multiple calls to URI activity and ContrastHttpServletDispatcher#onFirstRequestHandlerInvoked. (JAVA-5009)

  • Protect ignores exclusions for URIs when excluded for all Protect rules. (SUP-3660)

  • Java agent fails to start if server does not exist on Contrast server. (SUP-3703, 3587)

Release date: April 27, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Improved application identity support on WebLogic.

  • Improved application identity support on Jetty.

  • Resin server servlet support on Assess.

  • JarAnalyzer should handle buffer growth more efficiently.

Bug fixes:

  • VerifyError for log enhancer. (JAVA-5014)

  • JndiInjectionReporter incorrectly truncates stack trace. (JAVA-4993)

  • Header names are not properly modeled as case-insensitive. (JAVA-2186)

Release date: April 13, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Improved accuracy of the Protect padding Oracle rule.

  • No standalone_app_name is required for route coverage for Spring Boot executable JARs.

  • Improved memory utilization when analyzing customer webapp libraries for Protect.

Bug fixes:

  • XSS Keyword/Pattern causing false positives for Protect. (SUP-3275)

Release date: April 7, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

New and improved:

  • Adds a new Protect rule, Class Loader Manipulation, that provides additional hardening against exploits like Spring4Shell and others. The new rule guards against attacker attempts to gain access to and manipulate a class loader. Manipulating a class loader is a common way that attackers exploit the reflection code in expression language injection and mass assignment vulnerabilities to escalate to remote code exploitation.

  • Improves the accuracy of the Protect Cross-Site Scripting (XSS) rule.

  • Improves the accuracy of the Assess Log Injection rule so that it also detects this vulnerability when untrusted data enters log statements through logger formatter parameters (in addition to untrusted data in the formatting string itself).

  • Improves the robustness of our exercised route reporting in applications with large numbers of applications and exercised routes.

Bug fixes:

  • When running the Contrast agent alongside the Datadog agent, Contrast Protect reports a path traversal attack in Datadog’s datadog.common.container.ContainerInfo class. This false positive has been fixed.

Release date: March 30, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

Bug fixes:

  • False positive path traversal: java.base/java.io.File.createTempFile(String, String) (JAVA-4868)

  • False positive path traversal: Spring Web MVC (JAVA-4777)

  • Async request handling triggers arbitrary server side forward. (JAVA-4392)

Release date: March 16, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

Important

With this release, the Contrast Java agent is starting to move to a new versioning system. In some locations you may see this release labeled "3.10.0.25482".

3.X versions support Java 6 and 7. Future 4.X versions will support Java 8+.

See this FAQ for more information.

New and improved:

  • Added support for Scala-Play log injection

Bug fixes:

  • Error messaging around Contrast profiles shows incorrect case sensitivity. (JAVA-4859)

  • Java agent not creating or linking to application when standalone app name is used. (SUP-3587)

  • JarAnalyzer loads bytes of entire jar into memory. (JAVA-4813)

  • False negative in UncheckedRedirectRule. (JAVA-2742)

Release date: March 2, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

Important

Beginning with this release, the Contrast agent now supports Java 17.

New and improved:

  • The java.sql module/package is no longer required for the Java agent.

  • Added support for Assess Kotlin: 1.5 Dynamic Database Sources - Stored XSS and 1.5 Reflection Injection

  • Added enhanced support for GlassFish JSP.

Bug fixes:

  • Untrusted deserialization attacks wrongly include Contrast code in stack trace (JAVA-4599)

  • WebSphere OSGI classloading behavior results in NoClassDefFoundError. (JAVA-4591)

  • Semantic path traversal fails to catch Paths.get usage on J8. (JAVA-4459)

  • Protect unsafe file upload false positive from test JAR. (JAVA-4455)

  • JarAnalyzer reads bytes for ZipEntry even if not required. (JAVA-4453)

  • XXE false-negative: TransformerFactory parser considered secure with only ACCESS_EXTERNAL_STYLESHEET disabled. (JAVA-4340)

  • XXE false-positive: Axiom StAX parser with secondary controls (StAXParserConfiguration.STANDALONE) enabled. (JAVA-4339)

  • Potential leaks in hierarchy scanners. (JAVA-4300)

  • Netty EmptyByteBuf false positive. (JAVA-4204)

  • Field name not set for triggered events in Apache CXF. (JAVA-524)

Release date: February 2, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Additional support for Assess Scala: Akka HTTP 10.2.x redirect/forward - unvalidated redirect, arbitrary server side forwards vulnerabilities, GET request and form submission for XSS, HTTP header injection vulnerabilities.

  • The Contrast Java agent now fully supports server-side Kotlin applications.

  • Added a configurable limit for request body capture size (default Integer.MAX).

  • Added denylist IGNORED and ANALYZED_IGNORED classes for Scala 2.13 language/SDK.

  • Added XXE test case for XML parsers secured by enabling XMLConstants.FEATURE_SECURE_PROCESSING.

Bug fixes:

  • Protect path traversal false positive in Infinispan CPU detection. (JAVA-4406)

  • Prevent OOM from large request bodies collected for ApplicationActivityDTM. (JAVA-4321)

  • Servlet route coverage fails on embedded Tomcat. (JAVA-4313)

  • DataFlowEventHistory may overflow affecting adaptive optimization. (JAVA-4208)

  • Adaptive Optimization is not specific in deadzoning. (JAVA-4194)

Release date: January 19, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Support for route coverage on Spring Boot 2.5 and 2.6.

  • Support for Kotlin tagging/encoding utilities, Spring XSS and co-routine APIs.

  • Support for library discovery for Scala Akka HTTP 10.2.X.

Bug fixes:

  • AdaptiveOptimizationManagerTest has an unnecessary 1 minute delay. (JAVA-4383)

  • Defining an abstract method causes java.lang.ClassFormatError. (JAVA-4325)

  • PercentCodec does not decode multibyte characters properly . (JAVA-4307)

  • XXE false negative: XML parsers are considered secure even if XInclude is enabled. (JAVA-4233)

Release date: January 5, 2022

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Support for Scala 2.13, Scala Play JSON Parsing Utilities and String Utilities.

  • Support for Kotlin tagging/encoding utilities, Spring XSS and co-routine APIs.

  • Protect CVE shield for Log4j CVE-2021-44228

Bug fixes:

  • Policy classes removed but policy remains in XML. (JAVA-4311)

  • Netty support instruments Spring WebFlux client requests/responses as sources of untrusted data causing false positives and performance degradation. (JAVA-4285)

  • Caching ContrastPolicy causes ArrayIndexOutOfBoundsException . (JAVA-4262)

  • GET Request bodies can be used to bypass Protect. (JAVA-4226)

  • PropagatorAdaptiveOptimizerImpl.getCallerHistory, and AdaptiveOptimizationManager.isSourceIdentityAllowed are not thread safe. (JAVA-4207, JAVA-4206)

  • JAXB Unmarshalling is missing for DOM nodes. (JAVA-4200)

  • XXE false positive: XML parsers considered insecure when XMLConstants.ACCESS_EXTERNAL_DTD disabled. (JAVA-2691)

  • False negative for source javax.servlet.http.Part.getHeaderNames() on Websphere. (JAVA-2437)

Archive

Release date: December 14, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Upgraded CVE-2021-44228 shield to respect shaded packages of Log4j2. Improved reporting of attack events. (JAVA-4301)

Release date: December 14, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

Bug fixes:

  • Added Protect CVE shield for Log4j CVE-2021-44228 (JAVA-4301)

Release date: December 8, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added further support for Kotlin Assess (Beta).

  • Enhanced support on configuration properties.

Bug fixes:

  • Spring framework method/actuator displayed as a route signature. (SUP-3001)

Release date: November 24, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added support for Kotlin (Beta).

  • Enhanced support on configuration properties.

Bug fixes:

  • Creating an application reports a race condition (JAVA-4248)

  • BeanCreationException error when running with Java agent. (SUP-3302)

  • Java application doesn't start with Contrast Assess agent, but looks for all.json file instead. (SUP-3287)

  • Unable to exercise routes when using Spring Cloud/Zuul (SUP-3185)

  • When running with multiple profiles for the java agent, it breaks when the contrast.profile is set to anything with uppercase letters. (SUP-3267)

Release date: November 10, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

Bug fixes:

  • Java agent throws a null pointer exception when sending request containing XXE with Protect. (JAVA-3956)

  • Protect does not apply path traversal to Headers. (JAVA-3957)

  • Adaptive optimization causes response delays. (JAVA-2322)

Release date: October 27, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added support for kotlin.concurrent APIs.

  • Added application discovery support for Kotlin 1.5 and Spring 5.

  • Added support for Assess Scala-Play vulnerabilities: XPath injection, XXE, unvalidated redirect, arbitrary server-side forwards, response header detection.

  • Added support for Assess Mulesoft 4.3 unvalidated redirect, arbitrary server-side forwards, response header detection.

Bug fixes:

  • XXE produces false positive DisallowDocTypeReader. (JAVA-3732)

  • Potential for invalid request body to be returned when reporting a finding. (JAVA-3561)

Release date: October 13, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Performance improvement to reduce memory allocation in the agent.

Bug fixes:

  • Cached Body may be regenerated incorrectly causing finding to contain wrong body. (JAVA-3918)

  • Agent logs out obfuscated decoy decrypt code. (JAVA-3915)

  • Unnecessary logging when the Java agent is disabled. (JAVA-3914)

  • Big request body content might cause RequestMemoryBuffer allocation to malfunction. (JAVA-3870)

  • Java Agent instruments JDK jmap CLI Tool. (JAVA-3836)

  • Oracle ADF Path-traversal false positive. (JAVA-3773)

  • Oracle ADF XXE false positive. (JAVA-3771)

  • ConcurrentModificationEx with Assess CSRF rule. (JAVA-3549)

  • JVMUtils.checkKeyStore kicks in too late. (JAVA-2368)

  • Attack reporting erroneously HTML encodes request body. (JAVA-1671)

  • XXE attack reporting fails to render entity. (JAVA-1668)

  • Propagation events not triggered as expected for javax propagator rules. (JAVA_448)

Release date: September 29, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added Assess Rules (SQLi, Cookies, File Upload) for Mulesoft 4.3 beta support.

  • Investigatedimplementing StAX for Protect XML parsing.

  • Ensured HttpUtil.toNormalizedURI does not trigger vulns.

Bug fixes:

  • CentOS 8 Java RPM package missing from RPM repository. (JAVA-2422)

  • Response delays caused by adaptive optimization bug. (JAVA-2322)

Release date: September 15, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Support Mulesoft 4.3 route observation.

  • Handle generating/caching strings for findings efficiently.

Bug fixes:

  • Assert all positive values in ScopeAssess.decrementScope. (JAVA-3688)

  • Contrast agent attempts to instrument AppDynamics. (JAVA-3649)

  • NoClassDefFoundError instrumenting Liferay built-in CXFEndpointPublisher. (JAVA-3621)

  • Cross-site scripting (XSS) FP writing client-side state to JSF pages. (JAVA-3541)

  • Protect scanning of request body involves excessive allocation. (JAVA-3106)

Release date: October 5, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added Assess beta support for MuleSoft 4.3

  • Added SAST missing policies for java.util.Optional

  • SnapshotFactory now limits snapshot size dynamically.

  • Thread-unsafe SimpleDateFormat may nowbe used by multiple threads

Bug fixes:

  • Add missing policies for JSON Web Tokens. (JAVA-3593)

  • WebGoat 7.1 produces NoClassDefFoundError. (JAVA-3649)

  • Syslog heartbeat message logged every time config changes. (JAVA-3621)

  • Rules disabled while application is running still appear in preflight report. (JAVA-3541)

  • LogLevel cannot be set by server level features. (JAVA-3106)

Release date: August 19, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added Application Discovery Support for Mulesoft 4.3.

  • Enanced support for untrusted forward in Liferay 7.2+.

Bug fixes:

  • Missing propagators in Spring policies. (Java-3571)

  • Protect AccessControlException for NanoXML. (JAVA-3548)

  • Java Assess: java.lang.NumberFormatException when uploading a huge file. (JAVA-3545)

  • Java Agent doesn't respect configuration provided via system properties file. (JAVA-2495)

  • WebGoat 7.1 server type detection. (JAVA-2458)

  • DB flowmap regression in 3.7.10.17525+ agent. (JAVA-2313)

  • OOM: Protect rebuilds a masked body for each attack in a single request. (JAVA-1646)

  • Assess must limit size of RequestBuffer. (JAVA-3272)

  • RequestMemoryBuffer copies all bytes for the request body again. (JAVA-3107)

Release date: August 4, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added sensitive data masking support for Liferay namespaced parameters.

  • Enhanced Liferay 7.2+ LDAP injection and path traversal.

  • Refactored Hibernate entry points that use functional interfaces.

  • Extracted rule evaluation metadata from being hardcoded in SignatureBasedRules.

  • Improved performance of Liferay Check in UnvalidatedForwardCheck.

Bug fixes:

  • Fix Typo in USE_RUNTIME_CACHE. (Java-3518)

  • Incorrectly parsed uncommon query string results in incorrect behavior. (JAVA-3305)

  • Assess must limit size of RequestBuffer. (JAVA-3272)

  • RequestMemoryBuffer copies all bytes for the request body again. (JAVA-3107)

  • Compare agent defined Protect rules with Contrast's supplied rules. (JAVA-2629)

  • Failure to discover libraries in EAR deployed to WebSphere 8.5 on IBM Java 1.8. (JAVA-2122)

Release date: August 5, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

Bug fixes:

  • NPE with ContrastPlugin.isDisabledUri. (Java-3536)

  • MuleSoft Jetty bad operand on stack. (JAVA-3553)

  • Incorrectly parsed uncommon query string results in incorrect behavior. (JAVA-3305)

  • Assess must limit size of RequestBuffer. (JAVA-3262)

  • RequestMemoryBuffer copies all bytes for the request body again. (JAVA-3107)

  • Compare agent defined Protect rules with TS supplied rules. (JAVA-2629)

  • Fails to discover libraries in EAR Deployed to WebSphere 8.5 on IBM Java 1.8. (JAVA-2122)

  • Add Sensitive Data Masking Support for Liferay Namespaced Parameters. (JAVA-3007)

  • Liferay 7.2+ Path Traversal false-positives. (JAVA-2920)

Release date: July 22, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

Bug fixes:

  • Screener Micro failures due to update to newest artifact. (JAVA-3381)

  • GitHub runner does not have access to ECR. (JAVA-3379)

  • Cross-site scripting (XSS) false negative in SpringBoot 1.0+. (JAVA-3362)

  • Regex Scan Policy Targets the Wrong API. (Java-3358)

  • Agent acts differently when started with proxy enabled. (JAVA-3268)

  • UrlExcusions with all rules off are not applied before capturing request body. (JAVA-3108)

  • Request MemoryBuffer threadlocal never releases any memory allocated. (JAVA-3014)

  • Umbrella is not discovering an entry point in the Java IO Test. (JAVA-2529)

Release date: July 8, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

Bug fixes:

  • Umbrella is not discovering and entry point in the Java IO Test. (JAVA-2529)

Release date: June 24, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added support for Oracle ADF 12c.

  • Remove JAXB from Contrast SDK.

Bug fixes:

  • -Dcontrast.assess.save_results=OnError not saving vuln data locally when agent is unable to connect to Teamserver. (JAVA-3267)

  • Agent fails to obtain settings from Teamserver after starting with no connectivity. (JAVA-3148)

  • Correct server detection for JBoss EAP and Wildfly post 19. (JAVA-3110)

  • Struts 2 route coverage does not function without the spring-struts-plugin. (JAVA-1947)

Release date: June 10, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Add technology sensor for MyBatis.

  • Make overly-long session timeout check log messages less noisy on DEBUG.

  • Use Final Release of java-launcher.jar instead of SNAPSHOT version.

  • Added Scan to OWASP benchmark.

Bug fixes:

  • XXE False Positive when XMLStreamReader is configured to be safe. (JAVA-3118)

  • Java Agent detects JBoss EAP 7.3 (WildFly 18) as JBoss AS 7.1 (which is JBoss EAP 6.0). (JAVA-2832)

  • Agent sends invalid internalDate for libraries. (JAVA-272)

  • WebSphere 8.5.5 yields NoSuchFieldException. (JAVA-86)

Release date: May 27, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15, 16

New and improved:

  • Added full support for JDK 16.

  • OpenJDK16 XXE tests with InaccessibleObjectException.

  • XXE False Positive when attribute ACCESS_EXTERNAL_STYLESHEET is configured to be safe.

Bug fixes:

  • ContrastNettyDispatcherImpl uses ClassCastException for control flow. (JAVA-2888)

  • DataMasker handling of Request Body does not work for multi-part requests. (JAVA-2681)

  • Reflected cross-site scripting (XSS) detection race condition. (JAVA-2619)

  • Merge of AppActivity with concurrent modification causes ConcurrentModificationException. (JAVA-2457)

  • AssessmentContext use of WeakHashMap causes deadlocks. (JAVA-2431)

Release date: May 13, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15

New and improved:

  • Added support for Trinidad 2.0+ ResponseWriters and HTML escaping utilities tagging/deadzones.

  • Added Support for Mojarra 2.0+ HtmlResponseWriter and HtmlUtils tagging/deadzones.

  • ADF File Upload Support for cross-site scripting (XSS) in Assess.

  • Trinidad JSP Support for cross-site scripting (XSS) and Path Traversal in Assess.

  • Added support for ADF Business Components (SQLi) in Assess.

  • Added support for ADF Facelets cross-site scripting (XSS) and Path Traversal in Assess.

  • Added Static Application Security Testing (SAST) tests for java.xml and java.beans.

  • Added Static Application Security Testing (SAST) tests for java.util.

  • Added Static Application Security Testing (SAST) tests for java.lang.

Bug fixes:

  • False positive Path Traversal null byte. (JAVA-2768)

  • Slow primordial transformation time for J11. (JAVA-2761)

  • Java code formatting is not being applied/checked in acceptance test application project. (JAVA-2716)

  • Vulnerabilities not sent for Jersey acceptance test app. (JAVA-2645)

  • ArrayIndexOutOfBounds with PurgeThread on TS. (JAVA-2589)

  • XXE False Positive when TransformerFactory is configured to be safe. (JAVA-2534)

  • Umbrella Lambda Entrypoint Signatures are confusing. (JAVA-2526)

  • Fix team module race condition when adding new developers. (JAVA-2256)

  • Remove javax.net.ssl.keyStorePassword from contrast log. (JAVA-538)

Release date: April 15, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9, 10, 11, 12, 13, 14, 15

New and improved:

  • Reduced object allocation in input canonicalization of Protect for increased performance and lower memory usage.

  • Added support for WebLogic's DocumentBuilder XML implementations in Assess.

  • Changed Protect XSS rule from Probed to Suspicious when in monitoring mode.

Bug fixes:

  • When using a PemPrivateKey in Netty, the agent would report a Hardcoded Key vulnerability. (JAVA-2616)

  • When using Jersey JAX-RS, the agent could get caught in a race condition during route observation. (JAVA-2425)

  • When using an older version of ESAPI with Protect enabled, the agent could throw a null-pointer exception. We removed the deprecated User Attack Attribution feature to fix this issue. (JAVA-66)

Release date: April 1, 2021

Language versions currently supported: Java 1.6, 1.7, 8, 9 ,10, 11, 12, 13, 14 and 15

New and improved:

  • Fixed cross-site scripting (XSS) false-positives in Oracle ADF views.

  • The agent now reports effective instrumentation mode on Application create.

Bug fixes:

  • When trying to identify ReDos vulnerabilities in Spring, the agent could report a false positive in UriComponentsBuilder. (JAVA-2599)

  • When instrumenting AWS DynamoDB with Assess, a null-pointer exception is thrown in ScanRequest if a null is passed as a parameter. (JAVA-2525)

  • When the agent tries to instrument Apache Axiom, the Java agent can not confirm whether XMLInputFactory supported external entities Apache Axiom API. (JAVA-2499)

  • When Assess is disabled, the agent will still report discovered routes. (JAVA-2494)

  • When the CorsFilter is enabled in Spring, the agent could falsely report a Header Injection vulnerability in Assess. (JAVA-2492)

  • When custom security controls with All Rules are enabled in Contrast, Assess data flow rules do not respect custom-encoded tags. (JAVA-2217)

  • When trying to deploy the agent to Pivotal Cloud Foundry (now VMWare Tanzu), libraries in external directories are not recognized. (JAVA-2178)

  • When trying to identify Assess vulnerabilities in Apache Axiom, an external entity injection (XXE) false positive could be reported. (JAVA-2118)

  • When using ESAPI Validators for files in application code, the agent could report path traversal false positives. (JAVA-967)

  • When using Websphere, the agent would generate a vulnerability for insecure cookies when not part of an HTTP request. (JAVA-755)

  • When using java.io.ObjectInputStream#readObject, the agent would not report untrusted deserialization vulnerabilities on the deserialization of Base64 encoded objects. (JAVA-719)

Release date: March 18, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

New and improved:

  • The Java agent is now compatible with the latest Java 16 release candidate.

Bug fixes:

  • When attempting to block a ReDos attack with Protect, application settings for the rule from Contrast were ignored. (JAVA-1959)

  • When Assess is enabled in a Websphere server, sending a SOAP request could report an XXE false positive. (JAVA-2273)

  • When using Netty, the agent could cause the request cookies to become malformed. (JAVA-2439)

  • When using Apache, the agent is reporting WebService architecture components with invalid URL values. (JAVA-2449)

Release date: March 4, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

New and improved:

  • Downgraded "Failed to Update Immutable Collection" log message from ERROR to DEBUG.

Bug fixes:

  • When running Protect, rules that only block at the perimeter do not report attacks at the perimeter when in monitoring mode. (JAVA-58)

  • When trying to scan for Spring Boot libraries on startup, the agent fails if JBOSS_HOME is set. (JAVA-2027)

  • When trying to monitor the number of queries executed, the agent could incorrectly report a much higher number of queries. (JAVA-1970)

  • When running Assess in WebSphere, the agent could falsely report a XXE vulnerability in XLXP2. (JAVA-2387)

  • When attempting to decode Javascript in Protect, the agent could throw an NullPointerException on a specific input. (JAVA-2456)

Release date: February 18, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

New and improved:

  • Updated list of secure encryption algorithms for the insecure encryption algorithm Assess rule.

Bug fixes:

  • When Websphere is run with the agent in suite B mode, a java.lang.IllegalArgumentException is thrown, regardless of whether TLS1.2 is set as a system property. (JAVA-1813)

  • When running a Dropwizard service that doesn't expose anything on the default servlet context, we log repeatedly after failing to obtain servlet context. We updated this to only log once. (JAVA-2272)

  • When trying to discover architectural components on start up, the agent could accidentally report a negative number. We've defaulted to certain ports based on HTTP scheme. (JAVA-2294)

  • When using the agent with Assess enabled, the agent could have a memory leak due to keeping all transformed class names. (JAVA-2310)

Release date: February 2, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

Bug fixes:

  • Rule mode configurations were hidden by the agent but are now visible. (JAVA-3)

  • When checking for command chaining in SQL injection with Protect, a false positive could occur if BEGIN and END were used. (JAVA-53)

  • Fixed configuration documentation for inventory.library_dirs property to specify correct delimiter per OS. (JAVA-962)

  • When using Grizzly, the agent did not properly handle insecure cookies set with setHeader. (JAVA-1785)

  • When using Assess, the agent could report incorrect security control tags in data flow. (JAVA-2216)

  • When using Protect, analysis of form metadata could result in a false positive. (JAVA-2274)

Release date: January 21, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

Important notes:

  • The Contrast agent no longer enables Synapse-related policies by default. Support for Synapse is in Beta.

New and improved:

  • Added support for JPQL for JPA 2.0-2.2 in Protect.

  • Removed cookie name and value as valid sources for Reflected XSS in Apache CXF, Grizzly, JAX-RS on Jersey, J2EE/Servlets, and Netty.

Bug fixes:

  • When a user supplies an empty session ID configuration value, Contrast rejects vulnerabilities. The Java agent no longer allows empty session ID configuration. (JAVA-1120)

  • When scanning for overly-long session timeout vulnerabilities, the agent can match on XML nodes that were commented out. The agent now parses web.xml when looking for overly-long session timeout instead of using a String match. (JAVA-1912)

  • When inventory is disabled (-Dcontrast.inventory.enable=false) the agent still reports application inventory data. (JAVA-1968)

  • When inventory is disabled, Protect attack reports can be disrupted. (JAVA-1971)

  • The Java agent no longer considers application path for application ID. (JAVA-2055)

  • When Protect is enabled the agent considers binary data for multipart value inputs. It will now only consider non-binary data. (JAVA-2103)

  • Removed an Assess SQL injection false positive finding within MariaDB. (JAVA-2106)

  • When using Synapse, tags are not duplicated for Apache headers and static strings. (JAVA-2117)

Release date: January 8, 2021

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

New and improved:

  • The Java agent will now be disabled after 404 response from Contrast on startup.

  • Added Assess and Protect support for the MyBatis framework.

  • Agent now sends heartbeat messages to Contrast.

  • Improved Protect Base64 optimization when using exclusions or disabling rules.

Bug fixes:

  • False positive is associated with WebSphere when Protect is enabled. (JAVA-1897)

  • Loading static content with Websphere triggers a false positive Path Traversal vulnerability. (JAVA-1910)

  • Insecure Authentication Protocol Rule can cause false positives. (JAVA-1913)

  • Agent loses tainted object when Undertow's PartImpl#getHeaders is called more than once. (JAVA-1932)

  • Datadog Protect Path Traversal caused false positives. Repaired by deadzoning certain classes. (JAVA-2057)

  • Agent HierarchyCache leaks file handles. (JAVA-2062)

  • Loading static content with Wildfly triggers a false positive Path Traversal vulnerability. (JAVA-2064)

Release date: December 10, 2020

Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15

New and improved:

  • Java 13, 14 and 15 are now supported.

  • Updated PropagationEvent and SourceEvent with more modern design patterns.

  • Updated agent to no longer send invalid ArchitectureComponentDTM.

  • Fixed invalid LDAP url in architecture components.

  • ObservedRoute URL is being passed to Contrast with an empty value.

  • Improved performance of Base64 encoding detection.

  • Moved padding oracle Protect rule to Beta.

  • Added feature flag for web service response tracking (which is disabled by default) to ignore external HTTP responses as sources.

  • Improved performance by making changes to MarkOfTheBeast instrumentation.

  • Added new SQL Injection whitespace separators to Protect keywords.

  • Decreased Base64 decoding in Protect for performance improvements.

Bug fixes:

  • Protect malformed-header rule must include exceptional logic for multipart/related Content-Type's. (JAVA-1020)

  • Zombie Background Service error. Use ScheduledExecutorService instead of Thread.sleep. (JAVA-1911)

  • StackOverflowException ocurred from CodeEventBuilder.getMethod(). (JAVA-1960)

  • The spring-unchecked-autobinding rule is not supported in Spring 4. (JAVA-69)

  • Agent reports vulnerabilities before taking library inventory. (JAVA-1265)

  • Wildfly session ID is null when redirected to another servlet in tests. (JAVA-1300)

  • An AppCreate message is never sent if library inventory is disabled. (JAVA-1817)

  • False attack reported when using Hadoop 3.2.1. Deadzone added to prevent this. (JAVA-1866)

  • Protect showed performance issues when analyzing deserialized objects. (JAVA-1871)

  • Server name defaults to null if lookup fails and not set by config. (JAVA-1894)

  • Propagators were causing false positives and negatives. Removed FileInputStream.<init> propagators to prevent false positives. Added FileInputStream.<init> as a path traversal sink to prevent false negatives. (JAVA-1914, JAVA-1915)

Release date: November 12, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Java 2 Security Manager support is now out of beta and available for general use.

  • Added agent compatibility for Java 14 and 15.

  • Refactored and improved parts of application initialization to prevent rare errors.

  • Added OWASP Benchmark to automated test pipeline.

  • Updated SQL Injection whitespace separators for Protect.

  • Added a debug log statement after primordial retransformation.

  • The agent can now detect programmatic setting of Session Timeout for applications without a web.xml.

  • Updated padding oracle, ReDos, and ZIP file overwrite Protect rules to include Suspicious attack labels.

Bug fixes:

  • Some Struts CVE shields don't check for vulnerable libraries before reporting attacks. (JAVA-153)

  • Moved CSP header analysis context so it is specific to the current request, rather than applying to all requests. (JAVA-1609)

Release date: October 29, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Java 2 Security Manager support is now out of beta and available for general use.

  • Removed the auto-license configurations from the Java agent.

  • Enabled reporting of enhanced library usage feature by default.

  • Added support for JEP 325 switch expressions.

  • Updated agent to prevent redacting important error information from the logs.

  • Changed inaccurate warning when application name cannot be found.

  • Added Expression Language injection vulnerability support for Thymeleaf in Spring.

  • Updated agent to default Protect rule modes to off.

Bug fixes:

  • Assess XXE getting false negative with JAXP StAX Parsers. (JAVA-757)

  • GlassFish classloader occasionally fails to load contrast dispatcher types. (JAVA-1595)

  • CSP header analysis referrer is misspelled. (JAVA-1611)

  • ReDoS event causes application to fail to start. (JAVA-1771)

  • DataDog Protect path traversal shows false positive. (JAVA-1791)

  • Redundant onApplicationInventoried callbacks cause performance degradation. (JAVA-1822)

Release date: October 15, 2020

Language versions currently supported: Java 1.6 - Java 11

Important notes:

In this release, the Java agent changed the behavior of the api.timeout_ms config parameter. Previously this parameter, while titled as milliseconds, was interpreted by the Java agent as seconds. This behavior has been corrected to be milliseconds across this board. The legacy behavior using seconds is not available via a YAML config, but is configurable with the -Dcontrast.timeout flag. Contact Support if you were negatively impacted by this change and need assistance.

New and improved:

  • You can now use profiles in a multi-tenant application configuration to apply individual options to each application.

  • Verified Protect blocks untrusted deserialization on commons-collections and c3p0.

  • Liferay Suppression now uses UnvalidatedForwardCheck and not stack denylist.

  • You will now see WARN if the YAML configuration file contains invalid syntax when parsing or if required configuration to connect to the Contrast application is missing.

  • Log full configuration state including environment, command line, and YAML values.

Bug fixes:

  • False positive on hardcoded key in Assess. (JAVA-710)

  • Missing deadzone caused NewRelic path traversal. (JAVA-891)

  • SHA-1 false positive found in WebSphere LTPA token generation. (JAVA-1594)

  • SHA3-256 incorrectly identified as bad crypto algorithm. (JAVA-1603)

  • False negatives due to missing java.io.InputStream.read propagators. (JAVA-1633)

  • Analyze-log tool crashes when missing second argument. (JAVA-1670)

  • Agent fails to deserialize ApplicationResponse with modules. (JAVA-1687)

  • Common config api.timeout_ms value is actually in seconds, not milliseconds. (JAVA-1694)

  • Use StackCapture.traceWithoutContrastCode over complex stack frame depth calculations. (JAVA-1697)

  • Suppress crypto-bad-mac vulnerability from within Hibernate. (JAVA-1707)

  • In some cases on Java 13+ with Assess enabled, string.replace fails. (JAVA-1722)

  • Remove double colon from Proxy URL configuration description. (JAVA-1773)

  • Netflix Zuul is throwing a header-injection false positive. (JAVA-1632)

Release date: October 1, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Separated semantic analysis rules out into new rules.

  • Spring ClientHttpResponse#getStatusText is no longer being filled in with Spring Boot 1.4+.

  • Lowered DocumentScanningManager log statement to DEBUG.

  • Added support for Spring RestTemplate.

  • Added Assess support for Hibernate HQL, JPA/JPQL and Criteria API vulnerabilities.

  • Included GlassFish support for servlet route coverage.

Bug fixes:

  • ContrastDynamicSourceDispatcherImpl throws unnecessary error. (JAVA-1709)

  • Path traversal false positive in Grails application due to AssetPipelineFilter. (JAVA-1473)

  • Grizzly Propagator incidentally ignored by agent. (JAVA-1635)

Release date: September 16, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Introduced Java 13 compatibility.

  • Added support for Matcher#appendReplacement and String#replace.

  • Added support for Java Security Manager on WebSphere and WebLogic with Java 6 through 8.

  • Added support for contrast.profile properties.

Bug fixes:

  • False positive path traversal in Liferay DynamicCSSFilter (JAVA-1402)

  • Assess rule cookie-flags-missing suppression logic fails at addHeader and setHeader sinks (JAVA-1521)

  • ContrastMarkOfTheBeastDispatcherImpl does not handle null strings (JAVA-1678)

Release date: September 2, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Added JBoss servlet route coverage support.

  • Add sanitizers for URL encoding from Liferay 7.X.

  • Added HttpInputMessage#getBody and HttpMessage#getHeaders as sources

  • Updated retrieval of headers from RestTemplate causing path traversal false negative.

  • Updated Assess arbitrary server-side forwards detection.

Bug fixes:

  • Possible path traversal false positive on PDF file upload. (JAVA-1312, SUP-1486)

  • False positive on server-side forward with Liferay ComboServlet. (JAVA-1400)

  • False positive on arbitrary server-side forward with Liferay VirtualHostFilter. (JAVA-1410)

  • Untrusted deserialization investigation in Weblogic DeploymentService. (JAVA-1476)

  • Probed events not reported when exception causes request to end in Jersey. (JAVA-1485)

  • Observed routes never appear for some applications in Contrast. (JAVA-1549)

  • Java Protect false positive in path traversal pattern 10B. (JAVA-1622)

  • Regression with Protect response times in 3.7.7.16256. (JAVA-1626)

Release date: August 19, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Introduced Java 12 compatibility.

  • Updated denylist and allowlist naming conventions.

  • Improved detection for @PathVariable with -Dcontrast.inspect.allclasses=false in Spring 4 and 5.

Bug fixes:

  • Agent ignores WebSphere Trust Store config (JAVA-742)

  • Cve_2014_0114 false positive when user patches commons-beanutils (JAVA-1143)

  • Path traversal FP for Struts 2 default static file handler (JAVA-1398)

  • False positive unvalidated forward for ServletContext#getRequestDispatcher (JAVA-1403)

  • Handle nulls in J2EE profilers with null checks instead of exceptions (JAVA-1495)

  • AttackBlockedException caught and not re-thrown resulting in attack not being blocked (JAVA-1504)

  • Remove ClassLoader types from Contrast ignored class list. (JAVA-1602)

Release date: August 5, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Added support for uploading files with Spring.

  • Updated support for accessing data with JPA in Spring.

  • Jetty is now supported for servlet route coverage.

  • Removed log redaction from our data masking feature.

  • Removed line count from agent.

Bug fixes:

  • SQLi false positive when making RaspSimulator field non-static. (JAVA-7)

  • Spring Boot 2.0+ are not yielding Path Traversal vulnerability. (JAVA-1467)

  • Protect Analysis Cache does not account for input type. (JAVA-29)

  • Protect Analysis cache doesn't take into account source of input. (JAVA-821)

  • Insecure-socket-factory reported due to SNI not explicitly set. (JAVA-988)

  • WebLogic detection is unreliable when domain-info file is missing. (JAVA-1399)

  • Re-implement of spring-unchecked-autobinding logic. (JAVA-1427)

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value. (JAVA-1453)

  • Assess tracks propagation events in agent logging. (JAVA-1487)

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.6.16040

New and improved:

  • Added Spring support for Accessing Relational Data using JDBC.

  • You can now access JPA Data with REST in Spring.

Bug fixes:

These bugs were fixed during the past month:

  • jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.

  • Race condition with CreateApp settings meaning Server level disabled rules are used.

  • Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).

  • finding-send broken due to FrameworkManager bringing in dispatchers from java.lang.

  • Agent fails to request permission before calling setAccessible.

  • Command Injection in Protect received false positive from argparse4j.

  • Agent on WebSphere changes handling of disabled TLS algorithms.

  • Spring PathVariable is not detected as a source.

  • Dataflow is lost through some Spring Util classes.

  • False positive unvalidated forward in Tomcat with Spring DeferredResult.

  • SQLi FP with HttpClient's RetryExec with MariaDB

  • False positive received with XSS Keyword.

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480

New and improved:

  • Provided route coverage support for the Servlet API.

  • Implemented Sensitive Data Masking with the mask_attack_vector.

  • Added Assess support for DynamoDB.

Bug fixes:

  • Protect caches input no matter the size potentially leading to OOMs for large requests

  • Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

  • Path Traversal False Positive Due to Spring's ServletContextResource

  • Race condition in App Inventory along with Protect Struts Cve rules

  • Log4j2 instrumentation fails on Log4j2 2.13.1

  • Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

  • Protect SQLi SimpleOrSearcher has poor performance on large inputs

  • Assess CSRF Detection Fails When Request Uses form-data/multipart

  • SSRF detection must not take use of tainted path as a SSRF vulnerability

  • Java Agent does not provide a findings field for PathTraversalSemanticDTM

  • Agent Prevents Graceful JVM Shutdown

  • Fix performance metric reporting for Acceptance Tests

  • StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.4.14937

New features and improvements:

  • Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.

  • Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.

Bug fixes:

  • XXE vulnerability missed in Assess but flagged as path traversal

  • UI displaying blocked and exploited HTTP Method Tampering events

  • Protect was receiving false negatives for XSS Bypass via Bug Bounty

  • Spring auto binding rule causing false negatives

  • Protect Path Traversal False Positive due to base64 null char

  • NPE in ContrastHttpRouteRegistrationWatcherDispatcherImpl

  • ReportFindings acceptance test annotation is broken

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657

New and improved:

  • Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

Important notes:

  • This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

Bug fixes:

  • When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.

  • When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone_app_name configuration.