Java agent release notes

Release date: September 16, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Introduced Java 13 compatibility.

  • Added support for Matcher#appendReplacement and String#replace.

  • Added support for Java Security Manager on WebSphere and WebLogic with Java 6 through 8.

  • Added support for contrast.profile properties.

Bug fixes:

  • False positive path traversal in Liferay DynamicCSSFilter (JAVA-1402)

  • Assess rule cookie-flags-missing suppression logic fails at addHeader and setHeader sinks (JAVA-1521)

  • ContrastMarkOfTheBeastDispatcherImpl does not handle null strings (JAVA-1678)

Release date: September 2, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Added JBoss servlet route coverage support.

  • Add sanitizers for URL encoding from Liferay 7.X.

  • Added HttpInputMessage#getBody and HttpMessage#getHeaders as sources

  • Updated retrieval of headers from RestTemplate causing path traversal false negative.

  • Updated Assess arbitrary server-side forwards detection.

Bug fixes:

  • Possible path traversal false positive on PDF file upload. (JAVA-1312, SUP-1486)

  • False positive on server-side forward with Liferay ComboServlet. (JAVA-1400)

  • False positive on arbitrary server-side forward with Liferay VirtualHostFilter. (JAVA-1410)

  • Untrusted deserialization investigation in Weblogic DeploymentService. (JAVA-1476)

  • Probed events not reported when exception causes request to end in Jersey. (JAVA-1485)

  • Observed routes never appear for some applications in Contrast. (JAVA-1549)

  • Java Protect false positive in path traversal pattern 10B. (JAVA-1622)

  • Regression with Protect response times in 3.7.7.16256. (JAVA-1626)

Release date: August 19, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Introduced Java 12 compatibility.

  • Updated blocklist and allowlist naming conventions.

  • Improved detection for @PathVariable with -Dcontrast.inspect.allclasses=false in Spring 4 and 5.

Bug fixes:

  • Agent ignores WebSphere Trust Store config (JAVA-742)

  • Cve_2014_0114 false positive when user patches commons-beanutils (JAVA-1143)

  • Path traversal FP for Struts 2 default static file handler (JAVA-1398)

  • False positive unvalidated forward for ServletContext#getRequestDispatcher (JAVA-1403)

  • Handle nulls in J2EE profilers with null checks instead of exceptions (JAVA-1495)

  • AttackBlockedException caught and not re-thrown resulting in attack not being blocked (JAVA-1504)

  • Remove ClassLoader types from Contrast ignored class list. (JAVA-1602)

Release date: August 5, 2020

Language versions currently supported: Java 1.6 - Java 11

New and improved:

  • Added support for uploading files with Spring.

  • Updated support for accessing data with JPA in Spring.

  • Jetty is now supported for servlet route coverage.

  • Removed log redaction from our data masking feature.

  • Removed line count from agent.

Bug fixes:

  • SQLi false positive when making RaspSimulator field non-static. (JAVA-7)

  • Spring Boot 2.0+ are not yielding Path Traversal vulnerability. (JAVA-1467)

  • Protect Analysis Cache does not account for input type. (JAVA-29)

  • Protect Analysis cache doesn't take into account source of input. (JAVA-821)

  • Insecure-socket-factory reported due to SNI not explicitly set. (JAVA-988)

  • WebLogic detection is unreliable when domain-info file is missing. (JAVA-1399)

  • Re-implement of spring-unchecked-autobinding logic. (JAVA-1427)

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value. (JAVA-1453)

  • Assess tracks propagation events in agent logging. (JAVA-1487)

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.6.16040

New and improved:

  • Added Spring support for Accessing Relational Data using JDBC.

  • You can now access JPA Data with REST in Spring.

Bug fixes:

These bugs were fixed during the past month:

  • jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.

  • Race condition with CreateApp settings meaning Server level disabled rules are used.

  • Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).

  • finding-send broken due to FrameworkManager bringing in dispatchers from java.lang.

  • Agent fails to request permission before calling setAccessible.

  • Command Injection in Protect received false positive from argparse4j.

  • Agent on WebSphere changes handling of disabled TLS algorithms.

  • Spring PathVariable is not detected as a source.

  • Dataflow is lost through some Spring Util classes.

  • False positive unvalidated forward in Tomcat with Spring DeferredResult.

  • SQLi FP with HttpClient's RetryExec with MariaDB

  • False positive received with XSS Keyword.

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480

New and improved:

  • Provided route coverage support for the Servlet API.

  • Implemented Sensitive Data Masking with the mask_attack_vector.

  • Added Assess support for DynamoDB.

Bug fixes:

  • Protect caches input no matter the size potentially leading to OOMs for large requests

  • Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

  • Path Traversal False Positive Due to Spring's ServletContextResource

  • Race condition in App Inventory along with Protect Struts Cve rules

  • Log4j2 instrumentation fails on Log4j2 2.13.1

  • Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

  • Protect SQLi SimpleOrSearcher has poor performance on large inputs

  • Assess CSRF Detection Fails When Request Uses form-data/multipart

  • SSRF detection must not take use of tainted path as a SSRF vulnerability

  • Java Agent does not provide a findings field for PathTraversalSemanticDTM

  • Agent Prevents Graceful JVM Shutdown

  • Fix performance metric reporting for Acceptance Tests

  • StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.4.14937

New features and improvements:

  • Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.

  • Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.

Bug fixes:

  • XXE vulnerability missed in Assess but flagged as path traversal

  • UI displaying blocked and exploited HTTP Method Tampering events

  • Protect was receiving false negatives for XSS Bypass via Bug Bounty

  • Spring auto binding rule causing false negatives

  • Protect Path Traversal False Positive due to base64 null char

  • NPE in ContrastHttpRouteRegistrationWatcherDispatcherImpl

  • ReportFindings acceptance test annotation is broken

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657

New and improved:

  • Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

Important notes:

  • This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

Bug fixes:

  • When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.

  • When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone_app_name configuration.