Java agent release notes

Reduced object allocation in input canonicalization of Protect for increased performance and lower memory usage.

Added support for WebLogic's DocumentBuilder XML implementations in Assess.

Changed Protect XSS rule from Probed to Suspicious when in monitoring mode.

When using a PemPrivateKey in Netty, the agent would report a Hardcoded Key vulnerability. (JAVA-2616)

When using Jersey JAX-RS, the agent could get caught in a race condition during route observation. (JAVA-2425)

When using an older version of ESAPI with Protect enabled, the agent could throw a null-pointer exception. We removed the deprecated User Attack Attribution feature to fix this issue. (JAVA-66)

The Java agent is now compatible with the latest Java 16 release candidate.

When attempting to block a ReDos attack with Protect, application settings for the rule from Contrast were ignored. (JAVA-1959)

When Assess is enabled in a Websphere server, sending a SOAP request could report an XXE false positive. (JAVA-2273)

When using Netty, the agent could cause the request cookies to become malformed. (JAVA-2439)

When using Apache, the agent is reporting WebService architecture components with invalid URL values. (JAVA-2449)

Downgraded "Failed to Update Immutable Collection" log message from ERROR to DEBUG.

When running Protect, rules that only block at the perimeter do not report attacks at the perimeter when in monitoring mode. (JAVA-58)

When trying to scan for Spring Boot libraries on startup, the agent fails if JBOSS_HOME is set. (JAVA-2027)

When trying to monitor the number of queries executed, the agent could incorrectly report a much higher number of queries. (JAVA-1970)

When running Assess in WebSphere, the agent could falsely report a XXE vulnerability in XLXP2. (JAVA-2387)

When attempting to decode Javascript in Protect, the agent could throw an NullPointerException on a specific input. (JAVA-2456)

Updated list of secure encryption algorithms for the insecure encryption algorithm Assess rule.

When Websphere is run with the agent in suite B mode, a java.lang.IllegalArgumentException is thrown, regardless of whether TLS1.2 is set as a system property. (JAVA-1813)

When running a Dropwizard service that doesn't expose anything on the default servlet context, we log repeatedly after failing to obtain servlet context. We updated this to only log once. (JAVA-2272)

When trying to discover architectural components on start up, the agent could accidentally report a negative number. We've defaulted to certain ports based on HTTP scheme. (JAVA-2294)

When using the agent with Assess enabled, the agent could have a memory leak due to keeping all transformed class names. (JAVA-2310)

Rule mode configurations were hidden by the agent but are now visible. (JAVA-3)

When checking for command chaining in SQL injection with Protect, a false positive could occur if BEGIN and END were used. (JAVA-53)

Fixed configuration documentation for inventory.library_dirs property to specify correct delimiter per OS. (JAVA-962)

When using Grizzly, the agent did not properly handle insecure cookies set with setHeader. (JAVA-1785)

When using Assess, the agent could report incorrect security control tags in data flow. (JAVA-2216)

When using Protect, analysis of form metadata could result in a false positive. (JAVA-2274)

The Contrast agent no longer enables Synapse-related policies by default. Support for Synapse is in Beta.

Added support for JPQL for JPA 2.0-2.2 in Protect.

Removed cookie name and value as valid sources for Reflected XSS in Apache CXF, Grizzly, JAX-RS on Jersey, J2EE/Servlets, and Netty.

When a user supplies an empty session ID configuration value, Contrast rejects vulnerabilities. The Java agent no longer allows empty session ID configuration. (JAVA-1120)

When scanning for overly-long session timeout vulnerabilities, the agent can match on XML nodes that were commented out. The agent now parses web.xml when looking for overly-long session timeout instead of using a String match. (JAVA-1912)

When inventory is disabled (-Dcontrast.inventory.enable=false) the agent still reports application inventory data. (JAVA-1968)

When inventory is disabled, Protect attack reports can be disrupted. (JAVA-1971)

The Java agent no longer considers application path for application ID. (JAVA-2055)

When Protect is enabled the agent considers binary data for multipart value inputs. It will now only consider non-binary data. (JAVA-2103)

Removed an Assess SQL injection false positive finding within MariaDB. (JAVA-2106)

When using Synapse, tags are not duplicated for Apache headers and static strings. (JAVA-2117)

The Java agent will now be disabled after 404 response from Contrast on startup.

Added Assess and Protect support for the MyBatis framework.

Agent now sends heartbeat messages to Contrast.

Improved Protect Base64 optimization when using exclusions or disabling rules.

False positive is associated with WebSphere when Protect is enabled. (JAVA-1897)

Loading static content with Websphere triggers a false positive Path Traversal vulnerability. (JAVA-1910)

Insecure Authentication Protocol Rule can cause false positives. (JAVA-1913)

Agent loses tainted object when Undertow's PartImpl#getHeaders is called more than once. (JAVA-1932)

Datadog Protect Path Traversal caused false positives. Repaired by deadzoning certain classes. (JAVA-2057)

Agent HierarchyCache leaks file handles. (JAVA-2062)

Loading static content with Wildfly triggers a false positive Path Traversal vulnerability. (JAVA-2064)

Java 13, 14 and 15 are now supported.

Updated PropagationEvent and SourceEvent with more modern design patterns.

Updated agent to no longer send invalid ArchitectureComponentDTM.

Fixed invalid LDAP url in architecture components.

ObservedRoute URL is being passed to Contrast with an empty value.

Improved performance of Base64 encoding detection.

Moved padding oracle Protect rule to Beta.

Added feature flag for web service response tracking (which is disabled by default) to ignore external HTTP responses as sources.

Improved performance by making changes to MarkOfTheBeast instrumentation.

Added new SQL Injection whitespace separators to Protect keywords.

Decreased Base64 decoding in Protect for performance improvements.

Protect malformed-header rule must include exceptional logic for multipart/related Content-Type's. (JAVA-1020)

Zombie Background Service error. Use ScheduledExecutorService instead of Thread.sleep. (JAVA-1911)

StackOverflowException ocurred from CodeEventBuilder.getMethod(). (JAVA-1960)

The spring-unchecked-autobinding rule is not supported in Spring 4. (JAVA-69)

Agent reports vulnerabilities before taking library inventory. (JAVA-1265)

Wildfly session ID is null when redirected to another servlet in tests. (JAVA-1300)

An AppCreate message is never sent if library inventory is disabled. (JAVA-1817)

False attack reported when using Hadoop 3.2.1. Deadzone added to prevent this. (JAVA-1866)

Protect showed performance issues when analyzing deserialized objects. (JAVA-1871)

Server name defaults to null if lookup fails and not set by config. (JAVA-1894)

Propagators were causing false positives and negatives. Removed FileInputStream.<init> propagators to prevent false positives. Added FileInputStream.<init> as a path traversal sink to prevent false negatives. (JAVA-1914, JAVA-1915)

Java 2 Security Manager support is now out of beta and available for general use.

Added agent compatibility for Java 14 and 15.

Refactored and improved parts of application initialization to prevent rare errors.

Added OWASP Benchmark to automated test pipeline.

Updated SQL Injection whitespace separators for Protect.

Added a debug log statement after primordial retransformation.

The agent can now detect programmatic setting of Session Timeout for applications without a web.xml.

Updated padding oracle, ReDos, and ZIP file overwrite Protect rules to include Suspicious attack labels.

Some Struts CVE shields don't check for vulnerable libraries before reporting attacks. (JAVA-153)

Moved CSP header analysis context so it is specific to the current request, rather than applying to all requests. (JAVA-1609)

Java 2 Security Manager support is now out of beta and available for general use.

Removed the auto-license configurations from the Java agent.

Enabled reporting of enhanced library usage feature by default.

Added support for JEP 325 switch expressions.

Updated agent to prevent redacting important error information from the logs.

Changed inaccurate warning when application name cannot be found.

Added Expression Language injection vulnerability support for Thymeleaf in Spring.

Updated agent to default Protect rule modes to off.

Assess XXE getting false negative with JAXP StAX Parsers. (JAVA-757)

GlassFish classloader occasionally fails to load contrast dispatcher types. (JAVA-1595)

CSP header analysis referrer is misspelled. (JAVA-1611)

ReDoS event causes application to fail to start. (JAVA-1771)

DataDog Protect path traversal shows false positive. (JAVA-1791)

Redundant onApplicationInventoried callbacks cause performance degradation. (JAVA-1822)

You can now use profiles in a multi-tenant application configuration to apply individual options to each application.

Verified Protect blocks untrusted deserialization on commons-collections and c3p0.

Liferay Suppression now uses UnvalidatedForwardCheck and not stack denylist.

You will now see WARN if the YAML configuration file contains invalid syntax when parsing or if required configuration to connect to the Contrast application is missing.

Log full configuration state including environment, command line, and YAML values.

False positive on hardcoded key in Assess. (JAVA-710)

Missing deadzone caused NewRelic path traversal. (JAVA-891)

SHA-1 false positive found in WebSphere LTPA token generation. (JAVA-1594)

SHA3-256 incorrectly identified as bad crypto algorithm. (JAVA-1603)

False negatives due to missing java.io.InputStream.read propagators. (JAVA-1633)

Analyze-log tool crashes when missing second argument. (JAVA-1670)

Agent fails to deserialize ApplicationResponse with modules. (JAVA-1687)

Common config api.timeout_ms value is actually in seconds, not milliseconds. (JAVA-1694)

Use StackCapture.traceWithoutContrastCode over complex stack frame depth calculations. (JAVA-1697)

Suppress crypto-bad-mac vulnerability from within Hibernate. (JAVA-1707)

In some cases on Java 13+ with Assess enabled, string.replace fails. (JAVA-1722)

Remove double colon from Proxy URL configuration description. (JAVA-1773)

Netflix Zuul is throwing a header-injection false positive. (JAVA-1632)

Separated semantic analysis rules out into new rules.

Spring ClientHttpResponse#getStatusText is no longer being filled in with Spring Boot 1.4+.

Lowered DocumentScanningManager log statement to DEBUG.

Added support for Spring RestTemplate.

Added Assess support for Hibernate HQL, JPA/JPQL and Criteria API vulnerabilities.

Included GlassFish support for servlet route coverage.

ContrastDynamicSourceDispatcherImpl throws unnecessary error. (JAVA-1709)

Path traversal false positive in Grails application due to AssetPipelineFilter. (JAVA-1473)

Grizzly Propagator incidentally ignored by agent. (JAVA-1635)

Introduced Java 13 compatibility.

Added support for Matcher#appendReplacement and String#replace.

Added support for Java Security Manager on WebSphere and WebLogic with Java 6 through 8.

Added support for contrast.profile properties.

False positive path traversal in Liferay DynamicCSSFilter (JAVA-1402)

Assess rule cookie-flags-missing suppression logic fails at addHeader and setHeader sinks (JAVA-1521)

ContrastMarkOfTheBeastDispatcherImpl does not handle null strings (JAVA-1678)

Added JBoss servlet route coverage support.

Add sanitizers for URL encoding from Liferay 7.X.

Added HttpInputMessage#getBody and HttpMessage#getHeaders as sources

Updated retrieval of headers from RestTemplate causing path traversal false negative.

Updated Assess arbitrary server-side forwards detection.

Possible path traversal false positive on PDF file upload. (JAVA-1312, SUP-1486)

False positive on server-side forward with Liferay ComboServlet. (JAVA-1400)

False positive on arbitrary server-side forward with Liferay VirtualHostFilter. (JAVA-1410)

Untrusted deserialization investigation in Weblogic DeploymentService. (JAVA-1476)

Probed events not reported when exception causes request to end in Jersey. (JAVA-1485)

Observed routes never appear for some applications in Contrast. (JAVA-1549)

Java Protect false positive in path traversal pattern 10B. (JAVA-1622)

Regression with Protect response times in 3.7.7.16256. (JAVA-1626)

Introduced Java 12 compatibility.

Updated denylist and allowlist naming conventions.

Improved detection for @PathVariable with -Dcontrast.inspect.allclasses=false in Spring 4 and 5.

Agent ignores WebSphere Trust Store config (JAVA-742)

Cve_2014_0114 false positive when user patches commons-beanutils (JAVA-1143)

Path traversal FP for Struts 2 default static file handler (JAVA-1398)

False positive unvalidated forward for ServletContext#getRequestDispatcher (JAVA-1403)

Handle nulls in J2EE profilers with null checks instead of exceptions (JAVA-1495)

AttackBlockedException caught and not re-thrown resulting in attack not being blocked (JAVA-1504)

Remove ClassLoader types from Contrast ignored class list. (JAVA-1602)

Added support for uploading files with Spring.

Updated support for accessing data with JPA in Spring.

Jetty is now supported for servlet route coverage.

Removed log redaction from our data masking feature.

Removed line count from agent.

SQLi false positive when making RaspSimulator field non-static. (JAVA-7)

Spring Boot 2.0+ are not yielding Path Traversal vulnerability. (JAVA-1467)

Protect Analysis Cache does not account for input type. (JAVA-29)

Protect Analysis cache doesn't take into account source of input. (JAVA-821)

Insecure-socket-factory reported due to SNI not explicitly set. (JAVA-988)

WebLogic detection is unreliable when domain-info file is missing. (JAVA-1399)

Re-implement of spring-unchecked-autobinding logic. (JAVA-1427)

-Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value. (JAVA-1453)

Assess tracks propagation events in agent logging. (JAVA-1487)

Added Spring support for Accessing Relational Data using JDBC.

You can now access JPA Data with REST in Spring.

jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.

Race condition with CreateApp settings meaning Server level disabled rules are used.

Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).

finding-send broken due to FrameworkManager bringing in dispatchers from java.lang.

Agent fails to request permission before calling setAccessible.

Command Injection in Protect received false positive from argparse4j.

Agent on WebSphere changes handling of disabled TLS algorithms.

Spring PathVariable is not detected as a source.

Dataflow is lost through some Spring Util classes.

False positive unvalidated forward in Tomcat with Spring DeferredResult.

SQLi FP with HttpClient's RetryExec with MariaDB

False positive received with XSS Keyword.

-Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value.

Provided route coverage support for the Servlet API.

Implemented Sensitive Data Masking with the mask_attack_vector.

Added Assess support for DynamoDB.

Protect caches input no matter the size potentially leading to OOMs for large requests

Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

Path Traversal False Positive Due to Spring's ServletContextResource

Race condition in App Inventory along with Protect Struts Cve rules

Log4j2 instrumentation fails on Log4j2 2.13.1

Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

Protect SQLi SimpleOrSearcher has poor performance on large inputs

Assess CSRF Detection Fails When Request Uses form-data/multipart

SSRF detection must not take use of tainted path as a SSRF vulnerability

Java Agent does not provide a findings field for PathTraversalSemanticDTM

Agent Prevents Graceful JVM Shutdown

Fix performance metric reporting for Acceptance Tests

StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.

Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.

XXE vulnerability missed in Assess but flagged as path traversal

UI displaying blocked and exploited HTTP Method Tampering events

Protect was receiving false negatives for XSS Bypass via Bug Bounty

Spring auto binding rule causing false negatives

Protect Path Traversal False Positive due to base64 null char

NPE in ContrastHttpRouteRegistrationWatcherDispatcherImpl

ReportFindings acceptance test annotation is broken

Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.

When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone_app_name configuration.