Release News

Contrast 3.5.8 - November 2018

Fixes

  • Export data for all libraries in your organization without errors.
  • SuperAdmins can upload new user data.
  • Create Master applications during application merge.
  • The Dashboard shows the appropriate vulnerability count for each user's application access.
  • All vulnerability URL info is displayed correctly.
  • LDAP connection issues for group creation are resolved.

Improvements

  • As of Contrast version 3.5.8, the auto-updating version of the Java agent is no longer available for download. The auto-update feature is not compatible with Contrast's design changes made to support the Java Platform Module System included in Java beginning with version 9. Existing agents with the auto-update feature will continue to function; however, once Contrast releases an agent capable of supporting Java 9+, they will no longer update to the latest version.

    For more details on Java agent updates, see the Java summary below.

  • See your Protect data logs in SumoLogic via integration with the SIEM API. Browse through logs, and quickly find exactly what you’re looking for.

  • Contrast upgraded to MySQL 5.7 for embedded MySQL.

Agent Updates

Java summary

The Java agent team improved accuracy of the Assess Path Traversal rule on Spring applications. We added better Assess support for Jersey 2.0, including route detection for Jersey 2.0+ applications. The agent also supports configuration of common configuration properties via environment variables.

.NET summary

The .NET team fixed a bug in which the agent wasn't respecting the legacy TeamServerValidateCert configuration setting. We also fixed a bug in which the agent failed to restart properly when profiler chaining was enabled and the Assess or Protect mode was changed. We made improvements to:

  • The display of System.Char[] values in the trigger event of Assess vulnerabilities
  • The performance of Assess analysis of applications that communicate with web services using System.Net.Http.HttpClient
  • Assess accuracy for unvalidated redirects against the current request's URL

The agent supports Azure Application Service-hosted applications that are hosted outside of the wwwroot/bin directory.

Node.js summary

The Node agent now supports Node 10, the latest long-term support (LTS) version of Node. The Node team also updated support for TLS connections to Contrast UI using common configuration options. We modified the logging levels for the agent to match the other agents, and closed a bug in the Winston logger. We also enhanced logging around Process.argv.

Ruby summary

Ruby team has released the Assess agent! The Ruby agent also supports the common configuration entries to customize TLS connections to Contrast UI. Due to performance issues, we removed log enhancers for classes loaded after the agent has initialized. (This functionality will be re-enabled in the next release.)

Python summary

The Python agent now supports communication to the Contrast Service using Unix sockets. The Python team updated configuration to support customized TLS connections to the Contrast UI. The agent also supports a periodic thread for verifying connection status in Contrast UI.

Contrast 3.5.7 - October 2018

Set up administrative approval for vulnerability closures and see route coverage for Jersey applications.

Fixes

  • Sort servers in the grid by "Last Seen".
  • Custom footers will display correctly with page contents.
  • Option to add Virtual Patches for .NET is available.
  • Compliance Violation email notifications have working links.
  • Filtered vulnerabilities in the UI and API returns show the same count.
  • Status updates are shown correctly in Vulnerability Trend chart.

Improvements

  • Use our new option to require administrative approval when a user attempts to close a vulnerability. Go to the Organization Settings > Applications page to choose which closed statuses and severities require approval. When a user attempts to close a vulnerability with a status and severity you’ve chosen, the it goes into a Pending state until you approve or deny the change.

  • The Jenkins 2.8 plugin lets you query by build numbers or vulnerability timestamps, and also fail a build for only new vulnerabilities. For large-scale deployments, the plugin also supports the use of application UUIDs instead of application names.

Agent Updates

Java summary

The Java agent now reports route-based application coverage for Jersey 2.26+. The Java team fixed an issue in which the agent would fail to instrument certain Equinox classes as well as a false positive when applications used HttpServletRequest.getContextPath. Springboot applications using the contrast.standalone.appname configuration accurately reports libraries.

.NET summary

The .NET agent team added “System.Web.Mvc.UrlHelper.IsLocalUrl” as a validator for unsafe redirects, and improved agent performance when analyzed application communicates with web services using HttpClient. We also fixed bugs where:

  • The agent failed to restart when disabling Assess when using profiler chaining
  • The agent did not respect TeamServerValidateCert in the agent’s configuration file
  • The Azure App Service Extension would fail to analyze applications hosted outside of the expected bin directory

Node.js summary

Check back next month for an update on our latest (and greatest) work.

Ruby summary

The Ruby agent team is preparing the final updates for GA of the Ruby Assess agent. The team has also been working on performance by optimizing the initial inventory message and moving library analysis into its own thread. We fixed an issue where Rails under Passenger wasn't correctly generating routes for GET requests as well as a separate issue where Sinatra wasn't starting in Assess mode and class_eval was being used.

Python summary

Python has been continuing to implement the REP Protect rules with the Path Traversal rule complete. The Python agent team made a few updates to the implementation of the common configuration properties, including support for the global enable flag, more support for ENV overrides, and a fix where an ENV variable allows the entire configuration section to be omitted in the YAML file.

Contrast 3.5.6 - September 2018

Use YAML-based common configuration properties for all of our agents, and track your vulnerabilities with our Agile Central integration.

Fixes

  • IE11 users can load the Contrast login page for SaaS and complete actions in the Servers grid row.
  • Delete a server without errors, even if you just deleted the application.
  • Protect will show as "on" for merged and child applications on Protect-enabled servers.
  • The Application page stops loading once your search is complete.
  • The Route Coverage page is free from Invalid Form errors.
  • Send a vulnerability to your configured bugtracker after you refresh the page.

Improvements

  • Send vulnerabilities to Agile Central (FKA Rally) with our one-way integration that lets you set fields like Project Name, Defect State, Environment, Priority and more.

  • We changed the default filtering in the Applications grid to show you only licensed applications. Of course, you can still filter by your other favorite categories to make your search even easier.

Agent Updates

Java summary

The Java team fixed a bug that caused Assess events to be labeled with the wrong type as well as a bug where user-provided Sanitizers that returned a new object could break data flow analysis. We added support of YAML-based common configuration options. We also improved reliability of Assess data flow analysis.

.NET summary

Users can now enable “profiler chaining” to allow the .NET agent to work alongside other third-party profilers such as New Relic, App Dynamics and Dynatrace. Set agent.dotnet.enable_chaining=true in the contrast_security.yaml common configuration file (or ProfilerChainingEnabled=true in the XML-based configuration file). The team made improvements to Protect to handle attacks via JSON deserialization within ASPNET MVC applications, instrumentation reliability within Web API applications, and Assess accuracy for interned strings within XML reading. We also fixed bugs where instrumentation lead to a crash on 32-bit applications on Windows Server 2008, the agent didn't use the configured agent data directory, and the agent would always use the “QA” environment settings for servers.

Node.js summary

The Node team added additional Assess rules - HTTP Only and Secure Flag Missing - for the Hapi 17 framework as well as additional support for session management. The team fixed issues related to file paths in the Windows OS, rendering of null values in templates, and an auto-update issue. We also added additional common configuration options, and implemented initial metadata support for instrumented applications.

Ruby summary

The Ruby team has been working on performance enhancements to the agent. The team made asynchronous inventory and route analysis the default. We deferred instrumentation until explicitly enabled, refactored our gem analysis algorithm, and streamlined many of the utility methods. The agent is updated to align with changes to the common configuration options, and added initial metadata support. In addition, the team is working towards general availability of the Ruby Assess features with the completion of the following Assess rules: XXE, NoSQL Injection and Unvalidated Redirect.

Python summary

The Python team has continued to implement advanced Protect rules with updates to the Path Traversal rule. The agent now supports changes to the common configuration options, and added initial metadata support. The service layer added support for binary request bodies.

Contrast 3.5.5 - August 2018

Want to find more details but spend less time searching? Use the new page for application route coverage and reorganized sections for all your keys.

Fixes

  • Create a new organization with the email address of an existing Contrast account.
  • The last-reported date for vulnerabilities will display more accurately.
  • The Applications grid displays correctly for Safari users.
  • Applications that don't have Assess enabled won't be counted in the overall score for your organization.
  • Contrast will test your Jira configuration with the latest credential set selected.
  • Advanced filters will work together to show you the right results in the Servers grid.

Improvements

  • Keep track of security for your entire application in the new Route Coverage tab. Contrast breaks down the data for discovered - including exercised and unexercised routes - as well as the specific routes with critical vulnerabilities. See the Agent Updates section for each agent's current list of supported frameworks.

  • Set global vulnerability threshold conditions in the Contrast Jenkins plugin. Teams may then override the conditions for specific jobs.

  • Only OrgAdmin-level users and above can see empty servers in the Contrast UI. (Servers that have applications will be visible as they are today and honor all the usual access rules.)

  • We've moved the keys around a bit to make them easier to find. Go to the user menu > Organization Settings > Profile page to see your Organization ID, API key, and Agent Service key; or, go to the Profile > Your Account tab to find your personal keys.

Agent Updates

Java summary

The Java agent team improved the agent's handling of XML inputs, and reduced the amount of memory used by the agent's Assess analysis. We also implemented route coverage for Spring MVC 4.

.NET summary

The .NET agent team has improved performance by enabling the CLR to inline methods not instrumented by Contrast. We improved error handling when certain reports to Contrast fail. We also implemented route coverage for MVC 4, MVC5, WebForms, ASMX, WCF and Web API frameworks.

Node.js summary

The Node agent team added Protect support for Hapi 17, and is finishing up support for Assess rules in that framework. We fixed an issue in reporting traces to the Contrast UI in Assess mode as well as an issue where propagation wasn't being followed through custom toString method calls.

Ruby summary

The Ruby agent team has been focused on performance issues, including adding a timeout in cases where IP resolution appeared to take longer than a few seconds on startup and optimizing the XXE rule source input generation. We fixed an issue where rake tasks had a namespace conflict. We also completed route coverage for Rails and Sinatra frameworks.

Python summary

The Python agent team implemented auto-start of the service when the instrumented application is started. We improved the application name generation for display in the Contrast UI. We also enabled the route coverage feature.

Contrast 3.5.4 - July 2018

Just in: Ruby agent 2.0 and improvements for your integrations!

Fixes

  • Filter Attacks by IP address to find the right ones in the grid.
  • See the right vulnerabilities in your server's Overview page.
  • Non-internet connected Enterprise-on-Premises (EOP) users can see the complete list of their libraries.
  • Don't get tripped up by Security Controls for invalid targets.
  • Set up auto-licensing for servers, and see your saved selection across the UI.
  • Build Number and Untracked filters work exactly as expected for your vulnerabilities.
  • Delete an organization with assigned licenses.

Improvements

  • Contrast stores the credentials you entered in your last Jira configuration, and automatically applies them when you set up the next one. You can also manage your credentials by adding news ones or editing an existing set.

  • EOP users can set proxy settings and rest assured that all integration traffic will flow through it.

Agent Updates

Java summary

The Java team reduced the amount of memory used by agent’s Assess analysis. We fixed an issue where certain java.lang.String methods, if added as sanitizers or validators, could cause application errors. We also added a new Malformed Header rule as well as protection against CVE-2018-1261.

.NET summary

The .NET team improved the performance of the agent’s communication with the Contrast interface as well as the accuracy of unvalidated redirect analysis when the data source was System.Web.HttpRequest.RawUrl. Also, the Azure App Service Site Extension now checks for framework requirements.

Node.js summary

The Node team added agent compatibility with the NewRelic APM agent. In the Protect feature, we improved the NoSQLi rule with support for classifier detection in MongoDB, and SQLi now has a new hook in the MySQL query interface. In the Assess feature, we can now track data propagation through user-defined input to the required statement, and we improved data flow on global constructors (e.g., String, Function).

Ruby summary

The Ruby agent entered 2.0 with an embedded service that eliminates the need for a second gem. The embedded service starts on application launch, is compatible with multiple applications on the same server, and can be controlled via rake tasks. The 2.0 version of the agent includes improvements in how the application name is determined and better application version determination.

Python summary

The Python agent has safer common configuration loading, and can accept configuration items from command line and environment variables. The team also added additional tests for Django applications with MySQL.

Contrast 3.5.3 - June 2018

Good work, Python! The Protect agent is ready for the big time!

Fixes

  • Assess rules take effect for child applications.
  • Tags render correctly for IE11 users.
  • Removed appearance of Apply License options for View-level users.
  • Use the link to clear Advanced filters in the Libraries page.
  • Critical vulnerabilities disappear from your Dashboard as soon as you mark them "Not a Problem".

Agent Updates

Java summary

Contrast now allows users to set the Application Code attribute of an application by passing the contrast.application.code System property to the Java agent. The Java team also added System property contrast.stderr for directing Contrast logs to STDERR instead of a log file, improved accuracy for XSS detection, and fixed a deadlock at start-up which affects WebLogic 12. When bot-blocking is enabled, the Java agent will always block the Mozilla bot even when the user hasn't included any bots to block in their Contrast application configuration

.NET summary

The .NET team added an Assess rule for HSTS header missing as well as support for Contrast.AppName in DPAPI protected configs. We also fixed a concurrency issue that could cause an InvalidOperationException along with issues where headers set in global.asax weren't analyzed by Assess sensors and incorrect sources were reported for some Assess vulnerabilities.

Node.js summary

The Node team made a variety of performance and compatibility improvements including: better compatibility with the New Relic APM agent, fixing an issue with PostgreSQL options, and compatibility with applications that run uglify-js in their deployment pipeline. The agent also handles the case where the package.json isn't included in a application. Finally, the team added some propagation enhancements for better Assess accuracy in String.split and Array.join.

Ruby summary

The Ruby team improved class name resolution from the code file paths.

Python summary

Python Protect enters General Availability with this release! Remaining tasks for the Python team included tracking routes identified in the application for coverage statistics. We also added a new default location for configuration files under /etc/contrast.

Contrast 3.5.2 - May 2018

With .NET agent support for Azure App Service, a new applications grid to try out, and the Beta release of the Ruby Assess agent on its way, Contrast just upgraded your summer plans.

Fixes

  • Sort attack events in the grid to find just what you're looking for.
  • Use automatic Jira ticket creation for child applications.
  • Sort Assess Rules by severity in an application's Policy page and get accurate results.
  • Navigate to affected applications from attack Notes page.

Improvements

  • Use the new version of the Contrast Maven Plugin! It's automatically integrated with TravisCI and CircleCI build numbers, and there’s no need to manually configure JVM arguments.

  • With our new applications grid in Beta, we’ve given you more direct access to filters while retaining them as you work, provided more insight to your vulnerabilities, and cleaned up the UI for more simplicity. Go to the Applications page to give it a try, and then let us know what you think!

Agent Updates

Java summary

The Java agent team fixed over-reporting of Expression Language Injection, and improved accuracy of SQL-Injection and XSS rules for Protect. We also added protection against CVE-2018-1273. We now recognize several Assess sanitizers from Freemarker v2.3.2+. We also improved performance of the agent's Assess analysis in scenarios when calling ToString on an object lead to multiple exceptions in that class’s implementation of ToString. We improved reliability of agent initialization, library discovery, and the Java agent launcher downloading the Java agent from Contrast.

.NET summary

Contrast now supports analysis of .NET applications hosted Azure App Service. See Manual Installation and Express Installation for Azure for instructions on how to add the .NET agent to applications hosted by Azure App Service. While .NET team was working on that, we also:

  • Added a Protect rule for HTTP method tampering.
  • Fixed a bug where the agent’s instrumentation could modify the value of encoded XML under CLR2.
  • Improved reliability of analysis of the HTTP response, especially under Classic Pipeline.
  • Fixed a bug where Contrast could reject vulnerabilities from the .NET agent in limited scenarios.
  • Improved reliability of agent initialization.

Oh, and the agent will no longer falsely identify a weak hash algorithm in Microsoft reporting services.

Node.js summary

The Node agent team resolved issues related to an incorrect value being read from the PostgreSQL sensor when emitting event data. Additional sanitation methods for mustache templates are now supported. We've investigated and closed a string literal to string object transformation issue, a related issue where tag ranges after string concatenation were not being resolved as an integer value, and ensured that a propagation for strings handles as edge case where the length of the tag range is 0. The inventory mode now supports library versions in additional non-standard formats. Finally, the agent now supports code using the spread operator in additional contexts.

Ruby summary

The Ruby agent team fixed a bug in class name resolution from the require library paths. We also fixed an issue with the used class count, and closed an issue where an internal context object was being called with an incorrect argument. In preparation for the Ruby Assess Beta coming this summer, we implemented the stored XSS rule, and updated the trace event reporting to the Contrast application.

Python summary

The Python agent team is preparing for general availability of the Python Protect agent at the end of the second quarter. We've fixed issues related to the used class count, and updated the library version reporting the Contrast application. We've also made updates in the stack frame reporting for attacks, and updated the installation instructions for the Flask web framework.

Contrast 3.5.1 - April 2018

Does dealing with issues feel like herding cats? Use new integration options and enhanced Jenkins plugin features to help yourself out!

Fixes

  • Erroneous info has been removed from your Audit Log.
  • Send vulnerabilities to your bugtracker, even for those of Note severity.
  • Save changes to fields in your JIRA integration.
  • Edits to your HipChat integration will now show up in the room immediately.
  • EOP customers can complete login tests for LDAP authentication.
  • Put validation in place for the Jira integration host URL to help you avoid problems.
  • No more LDAP configuration errors due to URLs that contain spaces. Our apologies!

Improvements

  • Use our Jenkins plugin with a proxy or try a new flag to disregard Contrast findings for a specific Jenkins job. You can even try Results Only mode: Contrast will set the job status of a build to a customized status, like as "Not Build", "Aborted" or "Unstable".

  • In the tradition of JIRA, VSTS/TFS and Bugzilla support, we present to you GitHub issues - yet another way to send those vulnerabilities out of Contrast (and your applications)!

  • Get ready for even more vulnerability details with Slack! New info includes server, application and rule names as well as time of detection.

Agent Updates

Java summary

Java Protect accuracy just got better! We improved analysis of encoded attacks and added detection of command injection used by JexBoss. Work was completed to improve reliability of both agent initialization and timeout within the value specified by -Dcontrast.timeout configuration. We boosted performance of Assess analysis against J2EE applications as well as fixing locking and concurrent modification of policy.

.NET summary

.NET Assess fixed a few bugs - one where the data flow analysis stopped when data went through a "potential security control" and another where limited vulnerabilities would be rejected by Contrast. We made improvements to memory usage by reducing the number of allocations used by Assess data flow analysis, and implemented new rules:

  • CSP Header Missing
  • Insecure CSP Policy
  • IE XSS Protection Disabled
  • x-content-type-options Header Missing

In addition, performance was enhanced by consolidating several IPC messages, and a fix was put in place when instrumenting "Outsystems" third-party components. The .NET agent installer will now read the RestartIISOnConfigChange configuration value from the DotnetAgentSettings.ini file. See Assess Rules for more information.

Node.js summary

Node Protect has multiple performance improvements in the handling of source inputs by rule, and added a stricter demarcation of the Assess and Protect contexts. We fixed an issue in the CSRF rule that could cause timeouts in blocked requests. Specifically for our Assess feature, we resolved an issue where required paths were not strings. Node has improved auto-update to correctly check Contrast UI version numbers and now supports the YAML-based common configuration file. As Node 4 is at the end of its life, this is the last agent to officially support Node 4. And we're looking forward to supporting Node 10 in October!

Ruby summary

Ruby works toward beta-level Assess support at the end of Q2. For the Protect agent, we had updates to our SQLi rule, exclusions honor the "all" condition from the Contrast UI, and configuration files can be added to a standard Contrast directory. There's also a new feature where the request body can be excluded from results sent to the Contrast UI. We had an issue where the CVE-2017-0898 shield was blocking assets in development mode, but it's fixed now! We've updated our library dependencies in both the agent and the service reducing the potential for incompatibilities in user environments.

Python summary

Python Protect is available to beta partners. We added Pyramid support as well as better reporting on the XSS rule in the Contrast UI. We fixed an issue where specific regex patterns were causing an exception in Python 2.7.5 and Python 2.7.6. We addressed the problem where older versions of pip were causing an exception and fixed a false negative issue in the SQLi rule. The agent correctly applies IP blacklist configurations to the `X-Forwarded-For header.

Contrast 3.5.0 - March 2018

With the Python agent in beta and Protect features available for Node, it's like a whole new world. (A new fantastic point of view...)

Fixes

  • Retain your filters in the Servers page, even when you take action in the grid.
  • Attack notifications are being sent by your Slack integration.
  • Use the link to Contact Support in the user menu.
  • Notifications for new vulnerable libraries stop if you disable them.
  • Your view of Attacks honors application access levels and filters you've set.
  • Vulnerability trend chart is in sync with the Vulnerability page grid.
  • Applications grid loads completely and consistently.
  • Download the Ruby agent without any workarounds.
  • Surplus trace details are gone from your vulnerability view.

Improvements

  • Wondering about the daily breakdown of your Protect license usage? Head over to the Organization Statistics page to find out. We’ll show you the number of servers protected, peak daily usage and much more.

  • When you export a vulnerability, the Vulnerability Overview and Notes fields are sent over with all of the regular info for new JIRA or VSTS/TFS tickets.

  • Ensure that your applications are compliant to the OWASP Top 10 2017 standard, and generate reports based on the compliance standard.

Agent Updates

Java summary

The Java team improved blocking of Protect Path Traversal Rule and added protection against CVE-2017-8046. We also fixed a bug where the agent could fail to block at perimeter an attack embedded within JSON/XML.

.NET summary

The .NET team added an XXE Rule for Protect and improved agent accuracy (i.e., Protect Command Injection and Assess handling of ASP.NET server variables). We reduced the agent’s impact to performance of Web API applications by ~7% as well as the number of allocations used by the agent’s Assess analysis. We also fixed the following issues:

  • Several safe errors in agent sensors that could lead to excessive logging and impact performance
  • Clickjacking false positive when X-Frame-Options header was added at the native level by IIS
  • An error where agent analysis could fail to initialize when an application pool is configured to use a low-privilege user

Node.js summary

The Protect features of the Node agent officially entered GA this month with some final work on the CSRF rule, additional patterns for the CMD injection rule, a better matcher for the Bot Blocker rule, a fix for virtual patches and better stack trace reporting. We've also updated our error reporting when the config file isn't found, allowed for global environment variables to supersede configuration options, and added configuration flags for disabling Protect and Assess features. Finally, we've had a few updates for better Windows support and better technology reporting from the agent.

Ruby summary

The Ruby agent updated the SQL injection to resolve a false negative, and simplified access to the configuration object in multi-process web server environments. We added a fix to limit the size of the pending message queue when the service is unavailable and provide better feedback if the logging directory is in a non-writable state. We've also made our gem dependencies less strict to reduce the possibility of gem conflicts for the service layer.

Python summary

The Python Protect agent begins its beta phase with support of the full set of Protect rules and a new, high-speed service layer.