Monthly Release News

Contrast 3.7.3 - April 2020

Monthly Release News - April 2020

This page shows highlights from our all Contrast hosted, on-premises and agent releases over the past month.

3.7.3 on-premises release date: May 8, 2020

New and improved:

  • In addition associating vulnerabilities, you can now also associate both discovered and exercised routes to build numbers, application versions, branches or repositories using session metadata. This means you can also query route information with a public API endpoint. With a single call to a public endpoint you can get detailed information on how much of an application has been exercised and where the critical vulnerabilities are.
  • You now have a choice to receive individual policy violation emails or to consolidate them into a single email. Find this option under Organization Settings > Notifications.
  • Your AppSec team can more easily assess library security risk and prioritize work with changes to surface CVE severity and make libraries easier to find. Select Libraries to see a filterable list of libraries with visual display of CVE severity for each one.

Important notes:

  • To improve security, the Contrast JRE version has been updated to Java 11 for both hosted and on-premises customers. This should not affect end users.

Bug fixes:

These significant bugs have been fixed in the past month:

  • SUP-1244 (TS-2697, TS-1494) 3.7.2 on-premises upgrade caused Contrast server and mysqld to attempt to run as the wrong user.
  • SUP-1153 (JAVA-1051) RBAV was incorrectly auto-verifying vulnerabilities.
  • SUP-1172 (JAVA-1060, JAVA-1061, JAVA-1062) Protect input after a rule change caused false positives.
  • SUP-1231 (DOTNET-1458) .NET agent failed to initialize after upgrade.
  • SUP-1156 (TS-2526) Inconsistent authorization redirected user to login and then an unauthorized page.
  • SUP-1074, 1234, 1312 (JAVA-1085) WebSphere LDAP/SAML authentication breaks with newer versions of contrast

Java agent - April 2020

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657

New features and improvements:

  • Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

Important notes:

  • This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

Bug fixes:

  • When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated SSLSocketFactory instead of the Java runtime's default system socket factory.
  • When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone\_app\_name configuration.

.NET Framework agent - April 2020

Language versions currently supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.4.1, 20.4.2, 20.4.3

New features and improvements:

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.
  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example, invalid yaml).

Important notes:

  • The agent's auto-update feature will no longer update the agent when running on Windows Server 2008 or servers with .NET Framework 4.7.0 or older. This change is in preparation for the upcoming fork of the Contrast .NET Framework agent. See below for more details.
  • The next release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Bug fixes:

  • When an application hosted on IIS was (mis)configured without a virtual path, the agent's background Windows service would crash. The agent's background Windows service now properly handles this configuration.
  • A race condition around requests for configuration values that did not have default values could lead to a crash of the agent's background Windows service. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

.NET Core agent - April 2020

Language versions currently supported:.NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New features and improvements:

  • Added support for Linux Azure App Service.
  • Added support for Alpine.
  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.
  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (e.g. invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.
  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

Node.js agent - April 2020

Language versions currently supported: 10 LTS and 12 LTS

Agent versions released during the past month: 2.14.0

New features and improvements:

  • Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent.
  • NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository
  • Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.

Important notes:

  • Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax: node-contrast <app-main>.js The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.

Bug fixes:

  • After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:
cls.run(() => {
    ^
TypeError: Cannot read property 'run' of undefined

OR

/usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188
    if (ns.active) {

TypeError: Cannot read property 'active' of undefined

Python agent - April 2020

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New features and improvements:

  • Added initial support for Stored XSS rule in Assess for django framework.
  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.
  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.
  • Removed the agent's external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.
  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved.

Ruby agent - April 2020

Language versions currently supported: 2.4-2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New features and improvements:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.
  • It is recommended to use RubyGems at this point.

Contrast 3.7.2 - March 2020

On-premises release date:

April 6, 2020

New features and improvements

Python for Assess This feature is now generally available for all Assess users to instrument web applications written in Python to find custom code vulnerabilities. Assess capabilities include support for Django, Flask, and Pyramid along with route coverage and route-based auto-verification for each framework.

Important note

With the 3.7.1 release, which upgraded Tomcat to version 9, users were experiencing a broken AJP (Apache JServ Protocol) connection. This required an AJP secret, or that the secret be disabled. Configuration options have been added and are configurable through the server.properties file.

Agent Updates

Java Agent Summary

Agent versions released this month: 3.7.2.14224, 3.7.2.14458

Language versions supported: Java 1.6 - 1.8 and 11

Bug Fixes:

  • In some cases, Contrast Assess considered the input to sanitizers to also be safe in other contexts. This could have led to false negatives in our data flow analysis. We fixed this so that only the data returned by an encoder (and never the input) would be considered safe in a data flow analysis.

  • In some cases, when users configured a route-based auto-verification policy, Contrast Assess would unexpectedly change a vulnerability status to Auto-Verified. This release remedies these problems for users who configure their Contrast Java agent with the agent.java.standalone_app_name configuration.

  • When users configured a sensitive data masking policy, Contrast unexpectedly did not apply this policy to individual cookies in users' HTTP requests. Contrast now correctly masks sensitive cookie values.

New features and improvements:

  • Added performance improvements which lead to better agent start-up time and lower Protect overhead when analyzing JSON requests.

  • Added accuracy improvements for Assess and Protect.

Node.js Agent Summary

Agent versions released this month: 2.12.3, 2.12.4, 2.12.5, 2.13.0

Language versions supported: 10, 12

Bug fixes:

  • A glip-service-monitor issue required changing how the agent handles toString on ECMAScript class methods.
  • Issue allowed uncaught exceptions to occur during Protect sink analysis for the SQL-Injection rule.
  • Node.js v 12 on RHEL 7 had a compiler issue.
  • Incorrectly named compiled artifact caused an error for Windows users.

New features and improvements:

Previously, the Node.js agent has provided minimal support for marsdb, the datastore used by OWASP juice-shop. New Assess support for marsdb API has been added.

Python Agent Summary

Agent versions released this month: 2.7.1, 2.7.2, 2.7.3, 2.8.0

Language versions supported: 2.7 and 3.5-3.8 (New support for 3.8)

Bug fixes:

  • Correctness of application code was affected in our unsafe code execution rules.
  • Converted some misleading ERROR log messages to DEBUG level.
  • Logger settings configured in the web interface were not handled correctly.

New features and improvements:

  • Python Assess feature is officially out of beta and generally available.
  • Added Unvalidated Redirect Assess rule for Flask framework.
  • More improvements to XSS detection in Assess, specifically to the mako templating engine.
  • Removed external dependency on PyYAML, which leads to fewer conflicts with customer environments.
  • Added more coverage for detection of SSRF rule in Assess

Ruby Agent Summary

Agent versions released this month: 3.7.0, 3.7.1, 3.8.0

Language versions supported: 2.4-2.7

Bug fixes:

  • Updated how we instrument serialization to address an infinite loop.

New features and improvements:

  • Added support for propagation through ERB templates.
  • Improved performance.
  • Added a new rule: Regular expression Denial of Service (ReDoS)
  • Deprecated support for the agent.service.enable yaml config option, in favor of the functionally equivalent, but more descriptive agent.start_bundled_service config option.
  • Added support for Ruby 2.7 language.

.NET Agent Summary

Agent versions released this month: NET Framework: 20.3.1 .NET Core: 1.3.0

Language versions supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • .NET Framework and .NET Core: The agent did not respect the assess.stacktraces configuration.
  • .NET Core, Docker, Azure App Service: In some cases, the agent would fail to use the configured proxy server when reporting route observations.
  • .NET Core: The agent did not work with applications that referenced early versions of version 2.1.X libraries. Note: We still encourage customers to update their applications to reference the latest supported releases of .NET Core as they include important security fixes.

New features and improvements:

.NET Core now detects Server-Side Request Forgery (SSRF) attacks and supports CENTOS7.

Note to IIS-Express users: A change in the agent’s profiler component will cause the profiler to be loaded in additional processes launched by IIS-Express if global profiling environment variables are already set. The previous behavior of profiling only IIS-Express can be restored by removing the global environment variables using the “Remove Environment Variables” button in the IIS-Express tab of the Contrast Tray and then adding the variables back using the “Set Environment Variables” button.

Note to .NET Framework agent users: A future release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Contrast 3.7.1 - February 2020

Release date:

March 4, 2020

New features and improvements

LDAP-based automated group provisioning Administrators can leverage LDAP groups to automatically provision or deprovision users within Contrast groups at login time. When this feature is enabled for LDAP-based authentication, users are added to a Contrast group for a corresponding LDAP group and removed from Contrast groups that aren't allowed per the group mapping configuration. Go to the User menu > System Settings > Authentication to see the options in the UI.

Ghostcat CVE-2020-1938 A vulnerability was recently discovered in the Apache JServ Protocol (AJP) that affects Apache versions 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99. For this release, Tomcat was upgraded from version 7.0.92 to version 9.0.31, which is not susceptible to these vulnerabilities. Customers who are using AJP and Contrast on-premise version 3.7.0.709 or lesser should upgrade

Generic webhook upgrades The payload of the generic webhooks has been expanded to include more fields and return more information depending on the attack, vulnerability, or other notification. Users can now get information on Application ID, Trace ID, Vulnerability Rule, Environment, Severity, Status, Organization ID, Server ID, and Server Name if the information is available and can be formatted with the webhook configured.

Agent Updates

Java Agent Summary

Agent versions released this month: 3.7.1.13527, 3.7.1.13581

Bug Fixes:

  • Assess lacks support for HTTP/2 connections on Jetty.
  • Accuracy problems occur with the AWS Java SDK.
  • Configurations on TeamServer are not being honored as expected due to Assess rule configuration precedence.

New features and improvements:

Contrast's work to support Java 11 applications culminates in our 3.7.1 release with full support for Java 11 systems. Additionally, we have fixed a handful of accuracy problems, added Assess support for SQLite, and tuned our JDBC inspection to reduce overhead on our users' database connections. Starting with our 3.7.1.13581 release, the contrast-java-agent RPM packages on pkg.contrastsecurity.com are now GPG signed.

Node.js Agent Summary

Agent versions released this month: 2.12.0

Language versions supported: 10, 12

Bug fixes:

  • Server-side React page rendering is instrumented by default.
  • Agent not functioning correctly with the latest Node.js version 12.16.0.
  • Use of _headers in the response object is deprecated. This was revised to use getHeaders().

New features and improvements:

This month's work contains internal architecture improvements, improved testing and test cases. Work is also progressing on new Protect functionality for the agent.The Node.js agent now supports the LoopBack 3 framework. Node.js language version 8 is no longer supported as of agent version 2.11.0.

Python Agent Summary

Agent versions released this month: 2.6.1, 2.7.0

Language versions supported: 2.7, 3.5-3.7

Bug fixes:

  • Python Assess is prevented from collecting findings with older versions of Werkzeug.
  • Using the Jinja2 templating engine causes false positives.
  • Compilation macro error occurs regarding reproducible builds on certain systems.
  • Django version info for older versions of the framework causes issues.

New features and improvements:

This month's work continued hardening Python Assess and included updates to vulnerability accuracy and reporting. The 2.7.0 version of the agent includes improved support for older versions of Django and Werkzeug, better stability for the pymysql, psycopg2, and pycassa database adapters, and greater specificity for XSS when using the Jinja templating engine.

Ruby Agent Summary

Agent versions released this month: 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0 (minor)

Language versions supported: 2.4-2.6

Bug fixes:

  • Rails style parameters in which Hash keys are passed in as nested parameter names is not handled well.

New features and improvements:

This most recent minor release contains internal improvements, including a reduction in object creation resulting from monkey patching for security analysis. In addition, we have refactored our evaluation of constants to reduce startup time and enhanced our support for the prepend monkeypatch style favored by Rails 6.

.NET Agent Summary

Agent versions released this month: NET Framework: 20.2.1, 20.2.2, 20.2.3 .NET Core: 1.2.0, 1.2.1, 1.2.2

Language versions supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 .NET Core: 2.1, 2.2, 3.0, 3.1

Bug fixes:

  • Observed routes were not reported if the .NET agent was configured to use a proxy for communication with Contrast.
  • .NET agent could stop using the session ID specified via configuration after a period of time.
  • The x-www-form-urlencoded parameters could be reported as parameter keys.
  • .NET Core agent would not change Protect rule modes after initialization.

New features and improvements:

Most significantly, this release adds support for .NET Core 3.0 and 3.1. Added new gadgets for Protect Untrusted Deserialization and a session timeout rule for .NET Core.

Contrast 3.7.0 - January 2020

Bug Fixes

  • Fixed Assess vulnerability reporting for Mulesoft based applications.

  • Ruby token authentication timed out when running Contrast with Passenger 6.0.

  • Some customers were not able to use route-based auto-verification with Python.

  • For the Python agent, handle_exception was not raising the original exception. Now it does with the entire stack trace.

  • Node Agent 2.10.1 was crashing with Express based applications.

New and Improved Features

PDF Compliance Reports now include the latest Payment Card Industry (PCI) Security Standard version: PCI 3.2.1

Sensitive data masking is now available for all language agents.

Library policy features have been extended to support open source licensing policy. Library dependency tree powered by a new command line interface has been introduced.

Agent Updates

Java Agent Summary

Accuracy improved for Assess and Protect, in particular, data flow accuracy for Java 11 applications. Added route-based auto-verification support and improved configuration error reporting.

Node.js Agent Summary

This release includes several performance improvements and fixes. All customers should upgrade to this version. Node.js version 8 is no longer supported.

Python Agent Summary

Improvements are mostly related to Assess. This includes fixes to sqlite3 patching, support for the Assess SSRF rule, auto-verification, reporting, and communication with Contrast Service. The agent no longer sends an XSS vulnerability if the response content type is whitelisted. It can also create an XSS vulnerability outside of rendering a template for django, flask, or werkzeug-compliant frameworks.

Ruby Agent Summary

The Ruby team has focused on internal improvements for this release. We have increased support for our reporting of technologies that appear on the Contrast UI when running with Sinatra applications. We now comply with SSRF+CSRF specifications. We reduced namespace pollution for applications no longer running Contrast.

Contrast 3.6.11 - December 2019

Bug Fixes

  • Node probe events reported to security/syslog logger as a result of inputs getting classified as "worth_watching."

  • Node agent didn't catch unvalidated redirects through the Express webserver.

  • .NET Framework agent reported false positives against the New Relic agent.

  • .NET Core agent logged to stdout for communications with Contrast.

  • Ruby agent depended on concurrent-ruby that conflicted with some versions of Rails.

  • Ruby agent startup time was not reliable in Heroku and Pivotal Cloud Foundry deployment environments.

  • Ruby agent third-party gems overrode core functionality of the Class, Module, and Object classes, including FactoryBot and Rollbar.

New and Improved Features

  • We released the Microsoft Teams Integration.

  • When Protect is set to “Monitor mode” for Regex DOS, Padding Oracle and Zip File Overwrite rules, attack events will now be reported as "Suspicious" instead of "Exploited". This means there is suspicious activity but not a confirmed exploit.

  • Now Contrast can automatically verify a remediated vulnerability. Go to Organization Settings > Vulnerability Management to enable auto-verification by application, rule type, and environment.

  • The Attestation Report is now available as a PDF from an application's details page. It is formatted to include information about the application's open and closed vulnerabilities, open source security status, and route coverage information.

  • Java agent increased accuracy for both Assess and Protect and improved logging for containerized applications.

  • For Ruby agent, instrumented methods now allow improved dataflow detection through File and Regex creation and usage.

Agent Updates

Java Agent Summary

Java agent improved accuracy and user experience:

  • Configuring an agent to log to a console stream no longer produces an additional log file.
  • Assess data flow accuracy improved for Java 11 applications.

  • Route Coverage for Struts 2 applications is now supported.


Node.js Agent Summary

The Node.js agent now supports the new feature to auto-verify remediations. Note: Pending end of support for Node.js 8
As per Node.js LTS policy, support for Node.js 8 will be deprecated in the January agent release.

Ruby Agent Summary

The Ruby agent now supports the new feature to auto-verify remediations. We also focused on third-party compatibility this month, specifically with those gems which undefine or redefine the signature of core methods, including const_defined? and other constant accessors.

In addition, updates have been made to the Contrast Service runner, allowing for the detection and cessation of zombie processes.

Contrast 3.6.10 - November 2019

Bug Fixes

  • The Flow Map interactive application view didn’t work in older IE11 browsers and had some minor formatting issues.

  • Drilling down on an Assess rule to see all apps that use the rule would cut off results at the first screen.

  • Protect suppressed incorrect attack events after creating an exclusion. (We fixed this by adding an option to suppress events in an improved Create Exclusion workflow.) XXE attack events showed incorrect and confusing details in the attack event overview.

  • Libraries showed incorrect total vulnerabilities counts for CVEs. Users could not override a Library policy at the organization level.

New and Improved Features

  • Jira integrations have a new application importance filtering option that tells Contrast to only create tickets for vulnerabilities from applications that have a specific importance level.

  • It’s now possible to search for vulnerabilities by Application Tag, both through the Contrast UI and the API. A new filter option in the Vulnerabilities view makes it easier to find vulnerabilities by topics that are relevant to your teams.

  • We support .NET Core applications deployed on Linux. We’re expanding our coverage of .NET Core applications from Windows to include Linux deployments. You can now use the same .NET Core agent and gain accurate and detailed security coverage on your application.

  • Integrations with Azure Pipeline can now allow development teams to set vulnerability thresholds that prevent builds from succeeding if applications exceed thresholds and are too vulnerable.

Agent Updates

Java summary

The Java team worked to improve accuracy in Assess for this release in these areas:

  • Detecting XSS attacks on Java Servlet applications

  • Detecting SSRF attacks

  • When using Java 11

The team also made improvements for reporting and troubleshooting, as well as smaller bug fixes. These include:

  • Clarified usage of the max_stack_depth property and improved reporting of the error that occurs when it is misconfigured.

  • Added a heartbeat message to help administrators diagnose Contrast Protect syslog connectivity.

.NET agent summaries

The team improved sensitive data masking for cookies and assured higher accuracy for Path Traversal rules in Protect.

.NET Framework

The team improved route-based coverage across the board to more accurately discover and observe routes for different routing configurations. They also fixed the following bugs:

  • Error logging bug when the agent had a problem discovering applications hosted on IIS

  • The agent could produce an invalid IL code for applications that were re-deployed dozens and dozens of times without a server restart.

.NET Core

The Contrast .NET Core agent now supports Linux (Ubuntu, Debian, openSUSE)! See https://docs.contrastsecurity.com/installation-netcoresupport.html

The team also added a feature to capture and report the HTTP POST body for vulnerabilities and attacks.

Node.js summary

The Node team is pleased to announce full support for NodeJS version 12 LTS.

The team also implemented route-based auto-verification (RBAV) functionality for the agent. RBAV will be fully released and functional when our main products also complete server implementation for route-based auto-verification.

We fixed how Assess reports relevant findings from malicious cookies for the Koa framework.

Ruby summary

The Ruby team focused on language compatibility to ensure the agent adheres to best practices and works alongside common dependencies. In particular, the team addressed an incompatibility with FactoryBot, allowing the agent to run with the gem installed. The team also fixed an incompatibility with the 2.6 base image on Heroku, so the agent can once again be installed in that environment.

In addition, updates to Contrast Service runner assure startup in all supported installations, as well as improved interoperability for applications running in multiple processes.

The team also implemented route-based auto-verification (RBAV), slated for full release later this year.

Python summary

The Python team released the Python Assess beta and continues to add features and stability improvements.

The team also improved the agent’s SQLAlchemy support and request body handling. The agent now logs its configuration and log file locations to stdout on initialization. The team fixed several issues surrounding its communication with the Contrast Service, enabling the agent to use the latest version of the Service (2.3.0) by default.

Additional improvements include PyCassa support for SQL injection and updates to internal testing and packaging.