Release News

Contrast 3.6.10 - November 2019

Bug Fixes

  • The Flow Map interactive application view didn’t work in older IE11 browsers and had some minor formatting issues.

  • Drilling down on an Assess rule to see all apps that use the rule would cut off results at the first screen.

  • Protect suppressed incorrect attack events after creating an exclusion. (We fixed this by adding an option to suppress events in an improved Create Exclusion workflow.) XXE attack events showed incorrect and confusing details in the attack event overview.

  • Libraries showed incorrect total vulnerabilities counts for CVEs. Users could not override a Library policy at the organization level.

New and Improved Features

  • Jira integrations have a new application importance filtering option that tells Contrast to only create tickets for vulnerabilities from applications that have a specific importance level.

  • It’s now possible to search for vulnerabilities by Application Tag, both through the Contrast UI and the API. A new filter option in the Vulnerabilities view makes it easier to find vulnerabilities by topics that are relevant to your teams.

  • We support .NET Core applications deployed on Linux. We’re expanding our coverage of .NET Core applications from Windows to include Linux deployments. You can now use the same .NET Core agent and gain accurate and detailed security coverage on your application.

  • Integrations with Azure Pipeline can now allow development teams to set vulnerability thresholds that prevent builds from succeeding if applications exceed thresholds and are too vulnerable.

Agent Updates

Java summary

The Java team worked to improve accuracy in Assess for this release in these areas:

  • Detecting XSS attacks on Java Servlet applications

  • Detecting SSRF attacks

  • When using Java 11

The team also made improvements for reporting and troubleshooting, as well as smaller bug fixes. These include:

  • Clarified usage of the max_stack_depth property and improved reporting of the error that occurs when it is misconfigured.

  • Added a heartbeat message to help administrators diagnose Contrast Protect syslog connectivity.

.NET agent summaries

The team improved sensitive data masking for cookies and assured higher accuracy for Path Traversal rules in Protect.

.NET Framework

The team improved route-based coverage across the board to more accurately discover and observe routes for different routing configurations. They also fixed the following bugs:

  • Error logging bug when the agent had a problem discovering applications hosted on IIS

  • The agent could produce an invalid IL code for applications that were re-deployed dozens and dozens of times without a server restart.

.NET Core

The Contrast .NET Core agent now supports Linux (Ubuntu, Debian, openSUSE)! See https://docs.contrastsecurity.com/installation-netcoresupport.html

The team also added a feature to capture and report the HTTP POST body for vulnerabilities and attacks.

Node.js summary

The Node team is pleased to announce full support for NodeJS version 12 LTS.

The team also implemented route-based auto-verification (RBAV) functionality for the agent. RBAV will be fully released and functional when our main products also complete server implementation for route-based auto-verification.

We fixed how Assess reports relevant findings from malicious cookies for the Koa framework.

Ruby summary

The Ruby team focused on language compatibility to ensure the agent adheres to best practices and works alongside common dependencies. In particular, the team addressed an incompatibility with FactoryBot, allowing the agent to run with the gem installed. The team also fixed an incompatibility with the 2.6 base image on Heroku, so the agent can once again be installed in that environment.

In addition, updates to Contrast Service runner assure startup in all supported installations, as well as improved interoperability for applications running in multiple processes.

The team also implemented route-based auto-verification (RBAV), slated for full release later this year.

Python summary

The Python team released the Python Assess beta and continues to add features and stability improvements.

The team also improved the agent’s SQLAlchemy support and request body handling. The agent now logs its configuration and log file locations to stdout on initialization. The team fixed several issues surrounding its communication with the Contrast Service, enabling the agent to use the latest version of the Service (2.3.0) by default.

Additional improvements include PyCassa support for SQL injection and updates to internal testing and packaging.

Contrast 3.6.9 - October 2019

Bug Fixes

  • Jira integrations weren't applying custom fields created in Contrast.
  • Vulnerabilities couldn't be sent to integrated bugtrackers for child applications.
  • The Overview page for attack events highlighted the wrong line of code.

New and Improved Features

  • Jira integrations allow you to set standards for application importance levels as well as specific application names.

  • Settings for time-based auto-remediation policy and administrator approval to close vulnerabilities have moved from your Organization Settings to a new Vulnerability Management page within Policy Management.

  • A Contrast plugin for the 2019 version of the Visual Studio IDE lets you see a list of vulnerabilities and details on each one, such as remediation guidance, directly in the IDE as Contrast discovers security flaws in your applications.

  • Contrast will import library cache data in the background rather than block start up to import. This results in a faster startup time; however, Contrast will not display library data until the import task is done.

Agent Updates

Java summary

For Assess, the Java team added coverage for java.util.Scanner APIs and java.net.URL#openStream. We fixed a library reporting issue in Assess that would cause previously reported libraries to disappear. The agent now recognizes the OWASP Encoder project's JSP tags as valid security controls. The agent no longer reports anti-clickjacking and anti-caching vulnerabilities for requests for font files, or XSS vulnerabilities in request for PDF files.

For Protect, the agent can better detect and block commands started from OGNL expressions. Protect rules can now detect attacks when the input is base64 encoded. We also improved the accuracy of the Protect EL Injection rule to not block attacks where java.lang.Class is used only to obtain the simple name via #getSimpleName.

Lastly, we improved error reporting in agent initialization when unable to access the temporary directory, and added the port to reporting of HTTP requests in J2EE applications.

.NET agent summaries

.NET Framework

The team added the ability to filter which applications in IIS will be analyzed via the application_blacklist and application_whitelist configuration settings. We improved performance of Protect analysis under CLR2 as well as accuracy of Assess propagation starting with the HttpRequest.Uri source. We also fixed a bug where the agent didn't properly handle NGEN assemblies.

.NET Core

The team fixed several bugs that could prevent certain instrumented applications from initializing or starting correctly.

Node.js summary

The Node team completed the following bug fixes:

  • An AsyncStorage error with Hapi 16
  • An issue regarding hardcoded rules no longer reporting
  • A bad substitution error when running packaging script
  • An issue where the agent wasn’t compatible with Node.js asn1 library

We also added a note in the agent's troubleshooting README for installing the agent when running on Alpine, and did some internal code cleanup and testing improvements.

Ruby summary

For much of the October release, the Ruby team focused on performance improvements in the agent, particularly around startup, patching, and interpolation detection. The agent now has a more lightweight impact while patching. We also made substantial changes to how we track dataflow through interpolation events by relying on C patching and AST rewriting as opposed to code rewriting. These changes contributed to the performance and stability of the agent as a whole.

Python summary

The Python team implemented more robust handling of cases in which requests have been read by other middlewares higher in the stack, and made improvements to route coverage and agent logging. We fixed an issue related to the handling of binary data in responses from applications. We also made updates to the agent README, and did some internal code cleanup and testing.

Contrast 3.6.8 - September 2019

Bug Fixes

  • When impersonating an admin-level user in multiple organizations, the UI showed dashboard information and agent connection details for the admin's default organization.
  • Filters didn't load correctly for the Servers grid.
  • The form to configure output to of Protect events to syslog didn't accept some IP address formats.

New and Improved Features

  • Use your application's flow map to see where data from your application connects it to back-end systems and other applications in your organization. Every time you exercise your application, the Contrast agent reports information to the Contrast UI about new back-end systems and applications - no extra configuration required. To see the latest connections, go to your application's new Flow Map tab.

  • Contrast's sensitive data masking feature protects sensitive data in your applications by redacting it in Contrast vulnerability and attack reports that are sent to the Contrast UI, syslog or security log. All Contrast agents apply data masking for critical data types to all applications by default. To see each of the data types and add custom criteria for your organization, go to the user menu > Policy Managment > Sensitive Data tab in the UI.

  • Set up Contrast's new PagerDuty integration to receive attack notifications outside of the UI. Each notification automatically provides details on the attack, including the application, server and source IP involved. Go to the user menu > Organization Settings > Integrations tab to connect your PagerDuty account to your Contrast organization.

Agent Updates

Java summary

The Java team improved the accuracy and performance of instrumentation for String replacement operations. We also enhanced the Protect Command Injection Rule so that it can block commands that attempt to use dangerous path arguments such as /etc/passwd and /etc/shadow.

.NET agent summaries

The .NET team improved accuracy of Assess SQL-Injection against EF-Core, the Protect XSS rule, and handling of odd URLs when deciding whether or not to analyze events during servicing of a request. We also fixed several bugs that could result in warnings in agent log files.

.NET Framework

For the .NET Framework agent, the team implemented beta support for a Protect Cross-Site Request Forgery rule, and extended the Protect Unsafe File Upload rule to handle file uploads under Web API applications. We also fixed the following bugs:

  • A bug where the agent could cause an application to error when the application attempted to access web.config
  • A bug where the agent could cause a process crash during process shutdown when chained with a specific APM profiler
  • A bug where the upgrade process could modify the agent configuration file, if the file had been edited before install but not modified since

.NET Core

For the .NET Core agent, the team implemented the Protect Unsafe File Upload rule.

Node.js summary

The Node team released Beta support for the Kraken.js web framework. We updated our internal logging to standardize reporting at non-DEBUG levels. We closed a defect where an application without a valid license in Protect mode would fail to start. An unlicensed application in Protect mode will now start with a log indicating that Protect mode is disabled due to a lack of licenses. The team resolved an issue where the Unsafe File Upload rule in the Hapi 17 framework wouldn't have the correct HTTP request context. Finally, we updated our internal test suite to include the Ubuntu Alpine image.

Ruby summary

The Ruby team updated the agent to use Contrast Service for input analysis of attack vectors. This update provides more consistent rule implementation for Protect rules as well as REP support during input analysis, while also providing more performance and requiring fewer resources on the instrumented application. We also continue to implement performance improvements in the Ruby Assess agent by implementing more granular marking of rewritten Ruby modules and preventing multiple attempts at rewriting a file. The agent now also limits the context where a propagation node needs to be copied.

Python summary

The Python team continues to work towards the Beta release of the Python Assess agent. In September, the Python team finalized support of the Pylons framework. The agent now has standard behavior of logging at non-DEBUG levels, and no longer reports deprecation warnings due to a escaped regular expression pattern. Finally, the python agent now supports the Contrast Service executable in read-only environments.

Contrast 3.6.7 - August 2019

Bug Fixes

  • Some users with active Assess licenses couldn't access the Contrast UI after Protect licenses expired.
  • Servers were labeled as Unlicensed even though Protect was disabled for the organization.
  • Some Protect users couldn't save syslog settings when they entered a host name.
  • There was an error with the React component when loading a vulnerability's Overview page as well as the filters menu in the Vulnerabilities grid.
  • Applications couldn't be deleted from the Applications grid using the trash can icon.

New and Improved Features

Administrators can save time and effort by automatically assigning a user's organizational groups. When the option is enabled in your organization's SSO settings, Contrast uses SAML authentication to automatically provision users with an organizational group when they log in. If the user is already a member of any Contrast groups that aren't allowed by the SSO settings, Contrast can also automatically remove the user from those organizational groups. Go to the user menu > Organization Settings > SSO tab to see the options in the UI.

Agent Updates

Java summary

For Protect, the Java team increased accuracy for the HTTP Method Tampering Rule and Expression Language Injection Rule to resolve false positives, and increased accuracy for the XSS Rule to resolve false negatives. For Assess, we completed performance optimizations for users of the Oracle JDBC driver.

.NET agent summaries

.NET Framework

The .NET Framework team improved communication with the Contrast UI to reduce duplicate messages, and added new “cookie-header-missing-flags” to identify when cookies are issued without the secure flag. We also fixed a bug in which the Azure App Service agent would fail to respect rule mode settings as well as a bug in which “##ProductName##” would appear in Tray notifications during the upgrade process.

.NET Core

The .NET Core team removed the requirement that the .NET Framework be installed on the server. We also added new “cookie-header-missing-flags” to identify when cookies are issued without the secure flag, and fixed a bug in which libraries were detected but not reported by the agent.

Node.js summary

The Node team is moving forward on support for the Kraken.js framework; this month, we implemented support for routing, form uploads and view layer code. The agent now deploys with pre-built binaries that ease deployment to applications that depend on Yarn as well as applications in environments where a compilation pipeline isn't available. In addition, the agent handles more detailed analysis of the URL object. The team also fixed the following issues:

  • Syslog settings weren't matched up to the common configuration specification
  • Hapi 17 sink wasn't excluding header for XSS
  • Libraries weren't being reported to the Contrast UI

Ruby summary

For the Ruby team, much of the August release was focused on performance improvements in the agent, particularly when operating in Assess mode. The agent now defers creation of the properties object on tracked strings until the first tag is generated; this is an optimization to prevent the properties object from being created on introspection of the string, reduction on string generation, and prioritize the use of faster native method over slower equivalents. We resolved an issue in which Stored XSS vulnerabilities weren't being discovered in some instances. We also closed an issue to prevent redundant rewrites of ActiveRecord classes.

Python summary

The Python team released a major update to source input analysis when operating in Protect mode. This update allows for a reduction of processing within the client application while standardizing user input scoring across agent implementations. We moved common code for the Flask middleware to the base class to be shared among all WSGI-derived middlewares. We resolved an issue in which binary uploads in HTTP requests were being reported for analysis as if they were UTF-8. The team is also moving towards the Python Assess beta release.

Contrast 3.6.6 - July 2019

Fixes

  • Application and libraries grids in the UI flickered for users on Safari.
  • Some users had an issue onboarding multiple .NET applications in the same pool.
  • Impersonating users as a SuperAdmin resulted in errors.
  • Users without applications couldn't see custom access groups in the UI.
  • Applications tags were missing after applications were unmerged.
  • Application queries timed out in some organizations.
  • Daily digest emails were sent multiple times to the same recipients.
  • Filters weren't applied when using the "Select All" option to delete vulnerabilities or exporting vulnerabilities for merged applications.
  • Jira integrations didn't detect custom field to add multiple users.
  • Merged applications ignored an Assess rule disabled previously for one of the applications.

Improvements

  • Export your application’s route coverage information to use and share outside the UI. To download the spreadsheet, go to the application’s Route Coverage tab, and select the icon above the grid to Export Routes to CSV. You can also export the same data via the APIs.

  • The Node agent is available in the default Node Pivotal Cloud Foundry buildpack. You can also set up the Contrast tile to send any vulnerabilities up to your organization.

  • The Java agent added support for IBM JDK 8.

Agent Updates

Java summary

The Java agent is now available through package managers from the Contrast Debian and Contrast RPM repositories. If host installation is right for you, you can also install the agent with the Exec Helper package for Ubuntu and Red Hat.

The Java team also made improvements to Protect rules, and turned off semantic analysis for SQL injection by default.

.NET agents

The .NET Framework and .NET Core teams fixed an issue that could taint some objects to be rendered incorrectly in the Contrast UI. We also improved creation of method signatures for methods with generic types. (This may invalidate previously created sanitizers and validators, if those signatures included generic types.)

.NET Framework summary

The .NET Framework team added a new Assess rule that detects when IIS is configured to send the unnecessary “X-Powered-By” header as well as a new Assess rule that detects when non-session cookies are missing the “secure” flag. We added a new Protect rule for ASP.NET applications that can block a potentially malicious file from being uploaded. We fixed a bug in which instrumentation could cause an error in applications using a specific version (4.1.1.2) of System.Net.Http from a Nuget package instead of the BCL. We also added the following capabilities to our agent configuration:

  • The ability to change the agent’s service’s startup type to “Manual” via a command line flag on the installer (e.g., SERVICE_STARTUP_TYPE_MANUAL=1)
  • The ability to suppress the agent’s service’s startup after installation via a command line flag on the installer (e.g., SUPPRESS_SERVICE_START=1)
  • A workaround for applications that use Server.Transfer within error pages
    (See the agent.dotnet. restore_error_handling_after_sending_headers_behavior configuration flag.)

.NET Core summary

You can now use the .NET Core agent on servers that have the .NET Framework agent installed. The team also added new Assess rules that detect when cookies are missing http-only or secure flags.

Node.js summary

The Node team investigated and closed an issue in which Bluebird async implementation was polluting the Node domain implementation which resulted in extraneous vulnerability reports in the Contrast UI. The team also fixed incompatibilities with the Comment Event Formatting (CEF) specification in the security log. We updated the handling of route reporting when routes are registered after server startup. Finally, we implemented improvements in the handling of the CSP Header Misconfigured, SSJS and SSRF rules.

Ruby summary

The Ruby team delivers an expanded test suite to include Ruby Core String specs as well as support for trust-boundary-violation. The team added performance optimizations to limit the generation of reported stack traces, limit the reporting of agent classes in inventory mode, append and flush log messages. We also migrated tag range handling from Ruby to C.

Python summary

The Python team added additional support for handling Protect rules that need to introspect the response body for the Flask framework. We closed an issue where the HTTP Method Tampering rule was blocking requests using the WebDAV protocol and aligned the defaults for communicating with the Contrast Service. Finally, the team closed an issue related to compatibility with MySQL in Python 2.7.