Release News - June 2020

This page shows highlights from our all Contrast hosted, on-premises and agent releases over the past month.

3.7.5 on-premises release date: July 7, 2020

New and improved:

  • There is a new Vulnerability Instances section under the Notes tab on a vulnerability's detail page.  Here you can see associated vulnerability instances with links that navigate to them. Vulnerability instances are listed by ID in descending order based on when they were first found, with the most recently found vulnerability (Last Detected) at the top.

  • The library grid will now sort by library score as the default. This ensures libraries with the most risk are clearly visible. Library version information is now more clearly reported and includes if the library in use is the latest version.

  • Contrast Documentation is still available at docs.contrastsecurity,com but with a new cleaner look, an improved search, and content organized by user role. Give us your feedback to help us keep improving.

Bug fixes:

These bugs have been fixed in the past month:

  • TS-3091 (SUP-1267, 1286) Some servers were appearing offline erroneously.

  • TS-3272 (SUP-1443) On-premises upgrade was requiring a java.security adjustments. This is no longer required.

  • DOTNET-1738 (SUP-1471,1491) .NET agent would crash when overly complex typesec was encountered.

  • NODE-904 (SUP-1634) Node.js agent was requiring the gRPC module which caused the agent to crash.

  • TS-2778 (SUP-1269) Searching for a vulnerability by ID was causing a global search timeout.

  • TS-2641 (SUP-1215) Attestation report was failing to generate when requested.

  • TS-3403 (SUP-1530) On-premises contrast-server.service was failing to restart after upgrade.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480

New features and improvements:

  • Provided route coverage support for the Servlet API.

  • Implemented Sensitive Data Masking with the mask_attack_vector.

  • Added Assess support for DynamoDB.

Bug fixes:

  • Protect caches input no matter the size potentially leading to OOMs for large requests

  • Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

  • Path Traversal False Positive Due to Spring's ServletContextResource

  • Race condition in App Inventory along with Protect Struts Cve rules

  • Log4j2 instrumentation fails on Log4j2 2.13.1

  • Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

  • Protect SQLi SimpleOrSearcher has poor performance on large inputs

  • Assess CSRF Detection Fails When Request Uses form-data/multipart

  • SSRF detection must not take use of tainted path as a SSRF vulnerability

  • Java Agent does not provide a findings field for PathTraversalSemanticDTM

  • Agent Prevents Graceful JVM Shutdown

  • Fix performance metric reporting for Acceptance Tests

  • StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.1, 20.6.3, 20.6.4

New features and improvements:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • Added support for OWIN based-hosting and self-hosted Web API applications outside of IIS.

  • The agent will now clean up old logs in Azure App Service and Docker-based deployments.

  • Improved logging and reliability around the agent’s auto-upgrade process.

  • Improved performance of Protect XSS.

  • Added support for route-based coverage of WCF services using Unity interception.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When the agent’s service would restart IIS with Contrast sensors on an overloaded server, the service could start receiving messages from those sensors before it was ready to handle them which lead to the sensors failing to initialize. This issue has been fixed now.

  • When a user would set up profiler chaining with AppDynamics in an Azure App Service environment, the AppDynamics profiler would fail to load. This has now been fixed.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New features and improvements:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.1 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4

New features and improvements:

  • Multiple architecture and performance improvements.

  • New gRPC communication protocol between the agent service improves performance.

  • Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.

  • Added a sensor for SQLite for Protect.

  • Added support for Koa version 2.12.

  • Reflected XSS is now not reported if Content-Type is allowlisted as safe.

Important notes:

  • A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.

Bug fixes:

  • Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service

  • Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify

  • Resolved a false positive issue when correctly using Sequelize to escape strings.

  • Resolved exception when fastify.route is called with an uppercase verb.

  • Resolved an issue that manifested as reporting duplicate routes when using the Express framework.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New features and improvements:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New features and improvements:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules