Java agent release notes
Release date: December 10, 2020
Language versions currently supported: Java 1.6 - Java 11, 12, 13, 14 and 15
New and improved:
Java 13, 14 and 15 are now supported.
Updated
PropagationEvent
andSourceEvent
with more modern design patterns.Updated agent to no longer send invalid
ArchitectureComponentDTM
.Fixed invalid LDAP url in architecture components.
ObservedRoute
URL is being passed to Contrast with an empty value.Improved performance of Base64 encoding detection.
Moved padding oracle Protect rule to Beta.
Added feature flag for web service response tracking (which is disabled by default) to ignore external HTTP responses as sources.
Improved performance by making changes to MarkOfTheBeast instrumentation.
Added new SQL Injection whitespace separators to Protect keywords.
Decreased Base64 decoding in Protect for performance improvements.
Bug fixes:
Protect malformed-header rule must include exceptional logic for multipart/related Content-Type's. (JAVA-1020)
Zombie Background Service error. Use
ScheduledExecutorService
instead ofThread.sleep
. (JAVA-1911)StackOverflowException ocurred from
CodeEventBuilder.getMethod()
. (JAVA-1960)The
spring-unchecked-autobinding
rule is not supported in Spring 4. (JAVA-69)Agent reports vulnerabilities before taking library inventory. (JAVA-1265)
Wildfly session ID is null when redirected to another servlet in tests. (JAVA-1300)
An
AppCreate
message is never sent if library inventory is disabled. (JAVA-1817)False attack reported when using Hadoop 3.2.1. Deadzone added to prevent this. (JAVA-1866)
Protect showed performance issues when analyzing deserialized objects. (JAVA-1871)
Server name defaults to null if lookup fails and not set by config. (JAVA-1894)
Propagators were causing false positives and negatives. Removed
FileInputStream.<init>
propagators to prevent false positives. AddedFileInputStream.<init>
as a path traversal sink to prevent false negatives. (JAVA-1914, JAVA-1915)
Release date: November 12, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Java 2 Security Manager support is now out of beta and available for general use.
Added agent compatibility for Java 14 and 15.
Refactored and improved parts of application initialization to prevent rare errors.
Added OWASP Benchmark to automated test pipeline.
Updated SQL Injection whitespace separators for Protect.
Added a debug log statement after primordial retransformation.
The agent can now detect programmatic setting of Session Timeout for applications without a web.xml.
Updated padding oracle, ReDos, and ZIP file overwrite Protect rules to include Suspicious attack labels.
Bug fixes:
Some Struts CVE shields don't check for vulnerable libraries before reporting attacks. (JAVA-153)
Moved CSP header analysis context so it is specific to the current request, rather than applying to all requests. (JAVA-1609)
Release date: October 29, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Java 2 Security Manager support is now out of beta and available for general use.
Removed the auto-license configurations from the Java agent.
Enabled reporting of enhanced library usage feature by default.
Added support for
JEP 325
switch expressions.Updated agent to prevent redacting important error information from the logs.
Changed inaccurate warning when application name cannot be found.
Added Expression Language injection vulnerability support for Thymeleaf in Spring.
Updated agent to default Protect rule modes to
off
.
Bug fixes:
Assess XXE getting false negative with JAXP StAX Parsers. (JAVA-757)
GlassFish classloader occasionally fails to load contrast dispatcher types. (JAVA-1595)
CSP header analysis referrer is misspelled. (JAVA-1611)
ReDoS event causes application to fail to start. (JAVA-1771)
DataDog Protect path traversal shows false positive. (JAVA-1791)
Redundant
onApplicationInventoried
callbacks cause performance degradation. (JAVA-1822)
Release date: October 15, 2020
Language versions currently supported: Java 1.6 - Java 11
Important notes:
In this release, the Java agent changed the behavior of the api.timeout_ms
config parameter. Previously this parameter, while titled as milliseconds, was interpreted by the Java agent as seconds. This behavior has been corrected to be milliseconds across this board. The legacy behavior using seconds is not available via a YAML config, but is configurable with the -Dcontrast.timeout
flag. Contact Support if you were negatively impacted by this change and need assistance.
New and improved:
You can now use profiles in a multi-tenant application configuration to apply individual options to each application.
Verified Protect blocks untrusted deserialization on
commons-collections
andc3p0
.Liferay Suppression now uses
UnvalidatedForwardCheck
and not stack blocklist.You will now see WARN if the YAML configuration file contains invalid syntax when parsing or if required configuration to connect to the Contrast application is missing.
Log full configuration state including environment, command line, and YAML values.
Bug fixes:
False positive on hardcoded key in Assess. (JAVA-710)
Missing deadzone caused NewRelic path traversal. (JAVA-891)
SHA-1 false positive found in WebSphere LTPA token generation. (JAVA-1594)
SHA3-256 incorrectly identified as bad crypto algorithm. (JAVA-1603)
False negatives due to missing
java.io.InputStream.read
propagators. (JAVA-1633)Analyze-log tool crashes when missing second argument. (JAVA-1670)
Agent fails to deserialize
ApplicationResponse
with modules. (JAVA-1687)Common config
api.timeout_ms
value is actually in seconds, not milliseconds. (JAVA-1694)Use
StackCapture.traceWithoutContrastCode
over complex stack frame depth calculations. (JAVA-1697)Suppress
crypto-bad-mac
vulnerability from within Hibernate. (JAVA-1707)In some cases on Java 13+ with Assess enabled,
string.replace
fails. (JAVA-1722)Remove double colon from Proxy URL configuration description. (JAVA-1773)
Netflix Zuul is throwing a header-injection false positive. (JAVA-1632)
Release date: October 1, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Separated semantic analysis rules out into new rules.
Spring
ClientHttpResponse#getStatusText
is no longer being filled in with Spring Boot 1.4+.Lowered
DocumentScanningManager
log statement toDEBUG
.Added support for Spring RestTemplate.
Added Assess support for Hibernate HQL, JPA/JPQL and Criteria API vulnerabilities.
Included GlassFish support for servlet route coverage.
Bug fixes:
ContrastDynamicSourceDispatcherImpl
throws unnecessary error. (JAVA-1709)Path traversal false positive in Grails application due to
AssetPipelineFilter
. (JAVA-1473)Grizzly Propagator incidentally ignored by agent. (JAVA-1635)
Release date: September 16, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Introduced Java 13 compatibility.
Added support for
Matcher#appendReplacement
andString#replace
.Added support for Java Security Manager on WebSphere and WebLogic with Java 6 through 8.
Added support for
contrast.profile
properties.
Bug fixes:
False positive path traversal in Liferay DynamicCSSFilter (JAVA-1402)
Assess rule
cookie-flags-missing
suppression logic fails ataddHeader
andsetHeader
sinks (JAVA-1521)ContrastMarkOfTheBeastDispatcherImpl
does not handle null strings (JAVA-1678)
Release date: September 2, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Added JBoss servlet route coverage support.
Add sanitizers for URL encoding from Liferay 7.X.
Added
HttpInputMessage#getBody
andHttpMessage#getHeaders
as sourcesUpdated retrieval of headers from
RestTemplate
causing path traversal false negative.Updated Assess arbitrary server-side forwards detection.
Bug fixes:
Possible path traversal false positive on PDF file upload. (JAVA-1312, SUP-1486)
False positive on server-side forward with Liferay ComboServlet. (JAVA-1400)
False positive on arbitrary server-side forward with Liferay VirtualHostFilter. (JAVA-1410)
Untrusted deserialization investigation in Weblogic DeploymentService. (JAVA-1476)
Probed events not reported when exception causes request to end in Jersey. (JAVA-1485)
Observed routes never appear for some applications in Contrast. (JAVA-1549)
Java Protect false positive in path traversal pattern 10B. (JAVA-1622)
Regression with Protect response times in 3.7.7.16256. (JAVA-1626)
Release date: August 19, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Introduced Java 12 compatibility.
Updated blocklist and allowlist naming conventions.
Improved detection for
@PathVariable
with-Dcontrast.inspect.allclasses=false
in Spring 4 and 5.
Bug fixes:
Agent ignores WebSphere Trust Store config (JAVA-742)
Cve_2014_0114
false positive when user patchescommons-beanutils
(JAVA-1143)Path traversal FP for Struts 2 default static file handler (JAVA-1398)
False positive unvalidated forward for
ServletContext#getRequestDispatcher
(JAVA-1403)Handle nulls in J2EE profilers with null checks instead of exceptions (JAVA-1495)
AttackBlockedException
caught and not re-thrown resulting in attack not being blocked (JAVA-1504)Remove
ClassLoader
types from Contrast ignored class list. (JAVA-1602)
Release date: August 5, 2020
Language versions currently supported: Java 1.6 - Java 11
New and improved:
Added support for uploading files with Spring.
Updated support for accessing data with JPA in Spring.
Jetty is now supported for servlet route coverage.
Removed log redaction from our data masking feature.
Removed line count from agent.
Bug fixes:
SQLi false positive when making RaspSimulator field non-static. (JAVA-7)
Spring Boot 2.0+ are not yielding Path Traversal vulnerability. (JAVA-1467)
Protect Analysis Cache does not account for input type. (JAVA-29)
Protect Analysis cache doesn't take into account source of input. (JAVA-821)
Insecure-socket-factory reported due to SNI not explicitly set. (JAVA-988)
WebLogic detection is unreliable when domain-info file is missing. (JAVA-1399)
Re-implement of
spring-unchecked-autobinding
logic. (JAVA-1427)-Dcontrast.rootapp
name ignored whenServletContext.getServletContextName()
returns non-empty value. (JAVA-1453)Assess tracks propagation events in agent logging. (JAVA-1487)
Language versions currently supported: Java 1.6 - Java 11
Agent versions released during the past month: 3.7.5.15634, 3.7.6.16040
New and improved:
Added Spring support for Accessing Relational Data using JDBC.
You can now access JPA Data with REST in Spring.
Bug fixes:
These bugs were fixed during the past month:
jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.
Race condition with CreateApp settings meaning Server level disabled rules are used.
Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).
finding-send
broken due to FrameworkManager bringing in dispatchers from java.lang.Agent fails to request permission before calling
setAccessible
.Command Injection in Protect received false positive from
argparse4j
.Agent on WebSphere changes handling of disabled TLS algorithms.
Spring
PathVariable
is not detected as a source.Dataflow is lost through some Spring Util classes.
False positive unvalidated forward in Tomcat with Spring
DeferredResult
.SQLi FP with HttpClient's
RetryExec
with MariaDBFalse positive received with XSS Keyword.
-Dcontrast.rootapp
name ignored whenServletContext.getServletContextName()
returns non-empty value.
Language versions currently supported: Java 1.6 - Java 11
Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480
New and improved:
Provided route coverage support for the Servlet API.
Implemented Sensitive Data Masking with the mask_attack_vector.
Added Assess support for DynamoDB.
Bug fixes:
Protect caches input no matter the size potentially leading to OOMs for large requests
Undertow Resource Handlers Should Not Trigger Path Traversal Attacks
Path Traversal False Positive Due to Spring's ServletContextResource
Race condition in App Inventory along with Protect Struts Cve rules
Log4j2 instrumentation fails on Log4j2 2.13.1
Agent Reports Incorrect HTTP Protocol Version on Servlet Containers
Protect SQLi SimpleOrSearcher has poor performance on large inputs
Assess CSRF Detection Fails When Request Uses form-data/multipart
SSRF detection must not take use of tainted path as a SSRF vulnerability
Java Agent does not provide a findings field for PathTraversalSemanticDTM
Agent Prevents Graceful JVM Shutdown
Fix performance metric reporting for Acceptance Tests
StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs
Language versions currently supported: Java 1.6 - Java 11
Agent versions released during the past month: 3.7.4.14937
New features and improvements:
Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.
Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.
Bug fixes:
XXE vulnerability missed in Assess but flagged as path traversal
UI displaying blocked and exploited HTTP Method Tampering events
Protect was receiving false negatives for XSS Bypass via Bug Bounty
Spring auto binding rule causing false negatives
Protect Path Traversal False Positive due to base64 null char
NPE in
ContrastHttpRouteRegistrationWatcherDispatcherImpl
ReportFindings acceptance test annotation is broken
Language versions currently supported: Java 1.6 - Java 11
Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657
New and improved:
Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.
Important notes:
This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.
Bug fixes:
When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.
When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the
contrast.agent.java.standalone_app_name
configuration.