March 4, 2020
LDAP-based automated group provisioning Administrators can leverage LDAP groups to automatically provision or deprovision users within Contrast groups at login time. When this feature is enabled for LDAP-based authentication, users are added to a Contrast group for a corresponding LDAP group and removed from Contrast groups that aren't allowed per the group mapping configuration. Go to the User menu > System Settings > Authentication to see the options in the UI.
Ghostcat CVE-2020-1938 A vulnerability was recently discovered in the Apache JServ Protocol (AJP) that affects Apache versions 9.0.0.M1 to 188.8.131.52, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99. For this release, Tomcat was upgraded from version 7.0.92 to version 9.0.31, which is not susceptible to these vulnerabilities. Customers who are using AJP and Contrast on-premise version 184.108.40.2069 or lesser should upgrade
Generic webhook upgrades The payload of the generic webhooks has been expanded to include more fields and return more information depending on the attack, vulnerability, or other notification. Users can now get information on Application ID, Trace ID, Vulnerability Rule, Environment, Severity, Status, Organization ID, Server ID, and Server Name if the information is available and can be formatted with the webhook configured.
Agent versions released this month: 220.127.116.1127, 18.104.22.16881
Contrast's work to support Java 11 applications culminates in our 3.7.1 release with full support for Java 11 systems. Additionally, we have fixed a handful of accuracy problems, added Assess support for SQLite, and tuned our JDBC inspection to reduce overhead on our users' database connections. Starting with our 22.214.171.12481 release, the contrast-java-agent RPM packages on pkg.contrastsecurity.com are now GPG signed.
Agent versions released this month: 2.12.0
Language versions supported: 10, 12
_headersin the response object is deprecated. This was revised to use
This month's work contains internal architecture improvements, improved testing and test cases. Work is also progressing on new Protect functionality for the agent.The Node.js agent now supports the LoopBack 3 framework. Node.js language version 8 is no longer supported as of agent version 2.11.0.
Agent versions released this month: 2.6.1, 2.7.0
Language versions supported: 2.7, 3.5-3.7
This month's work continued hardening Python Assess and included updates to vulnerability accuracy and reporting. The 2.7.0 version of the agent includes improved support for older versions of Django and Werkzeug, better stability for the pymysql, psycopg2, and pycassa database adapters, and greater specificity for XSS when using the Jinja templating engine.
Agent versions released this month: 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0 (minor)
Language versions supported: 2.4-2.6
This most recent minor release contains internal improvements, including a reduction in object creation resulting from monkey patching for security analysis. In addition, we have refactored our evaluation of constants to reduce startup time and enhanced our support for the prepend monkeypatch style favored by Rails 6.
Agent versions released this month: NET Framework: 20.2.1, 20.2.2, 20.2.3 .NET Core: 1.2.0, 1.2.1, 1.2.2
Language versions supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 .NET Core: 2.1, 2.2, 3.0, 3.1
x-www-form-urlencodedparameters could be reported as parameter keys.
Most significantly, this release adds support for .NET Core 3.0 and 3.1. Added new gadgets for Protect Untrusted Deserialization and a session timeout rule for .NET Core.
Fixed Assess vulnerability reporting for Mulesoft based applications.
Ruby token authentication timed out when running Contrast with Passenger 6.0.
Some customers were not able to use route-based auto-verification with Python.
For the Python agent, handle_exception was not raising the original exception. Now it does with the entire stack trace.
Node Agent 2.10.1 was crashing with Express based applications.
PDF Compliance Reports now include the latest Payment Card Industry (PCI) Security Standard version: PCI 3.2.1
Sensitive data masking is now available for all language agents.
Library policy features have been extended to support open source licensing policy. Library dependency tree powered by a new command line interface has been introduced.
Accuracy improved for Assess and Protect, in particular, data flow accuracy for Java 11 applications. Added route-based auto-verification support and improved configuration error reporting.
This release includes several performance improvements and fixes. All customers should upgrade to this version. Node.js version 8 is no longer supported.
Improvements are mostly related to Assess. This includes fixes to sqlite3 patching, support for the Assess SSRF rule, auto-verification, reporting, and communication with Contrast Service. The agent no longer sends an XSS vulnerability if the response content type is whitelisted. It can also create an XSS vulnerability outside of rendering a template for django, flask, or werkzeug-compliant frameworks.
The Ruby team has focused on internal improvements for this release. We have increased support for our reporting of technologies that appear on the Contrast UI when running with Sinatra applications. We now comply with SSRF+CSRF specifications. We reduced namespace pollution for applications no longer running Contrast.
Node probe events reported to security/syslog logger as a result of inputs getting classified as "worth_watching."
Node agent didn't catch unvalidated redirects through the Express webserver.
.NET Framework agent reported false positives against the New Relic agent.
.NET Core agent logged to stdout for communications with Contrast.
Ruby agent depended on concurrent-ruby that conflicted with some versions of Rails.
Ruby agent startup time was not reliable in Heroku and Pivotal Cloud Foundry deployment environments.
Ruby agent third-party gems overrode core functionality of the Class, Module, and Object classes, including FactoryBot and Rollbar.
We released the Microsoft Teams Integration.
When Protect is set to “Monitor mode” for Regex DOS, Padding Oracle and Zip File Overwrite rules, attack events will now be reported as "Suspicious" instead of "Exploited". This means there is suspicious activity but not a confirmed exploit.
Now Contrast can automatically verify a remediated vulnerability. Go to Organization Settings > Vulnerability Management to enable auto-verification by application, rule type, and environment.
The Attestation Report is now available as a PDF from an application's details page. It is formatted to include information about the application's open and closed vulnerabilities, open source security status, and route coverage information.
Java agent increased accuracy for both Assess and Protect and improved logging for containerized applications.
For Ruby agent, instrumented methods now allow improved dataflow detection through File and Regex creation and usage.
Java agent improved accuracy and user experience:
The Node.js agent now supports the new feature to auto-verify remediations. Note: Pending end of support for Node.js 8 As per Node.js LTS policy, support for Node.js 8 will be deprecated in the January agent release.
The Ruby agent now supports the new feature to auto-verify remediations. We also focused on third-party compatibility this month, specifically with those gems which undefine or redefine the signature of core methods, including const_defined? and other constant accessors.
In addition, updates have been made to the Contrast Service runner, allowing for the detection and cessation of zombie processes.
The Flow Map interactive application view didn’t work in older IE11 browsers and had some minor formatting issues.
Drilling down on an Assess rule to see all apps that use the rule would cut off results at the first screen.
Protect suppressed incorrect attack events after creating an exclusion. (We fixed this by adding an option to suppress events in an improved Create Exclusion workflow.) XXE attack events showed incorrect and confusing details in the attack event overview.
Libraries showed incorrect total vulnerabilities counts for CVEs. Users could not override a Library policy at the organization level.
Jira integrations have a new application importance filtering option that tells Contrast to only create tickets for vulnerabilities from applications that have a specific importance level.
It’s now possible to search for vulnerabilities by Application Tag, both through the Contrast UI and the API. A new filter option in the Vulnerabilities view makes it easier to find vulnerabilities by topics that are relevant to your teams.
We support .NET Core applications deployed on Linux. We’re expanding our coverage of .NET Core applications from Windows to include Linux deployments. You can now use the same .NET Core agent and gain accurate and detailed security coverage on your application.
Integrations with Azure Pipeline can now allow development teams to set vulnerability thresholds that prevent builds from succeeding if applications exceed thresholds and are too vulnerable.
The Java team worked to improve accuracy in Assess for this release in these areas:
Detecting XSS attacks on Java Servlet applications
Detecting SSRF attacks
When using Java 11
The team also made improvements for reporting and troubleshooting, as well as smaller bug fixes. These include:
Clarified usage of the max_stack_depth property and improved reporting of the error that occurs when it is misconfigured.
Added a heartbeat message to help administrators diagnose Contrast Protect syslog connectivity.
The team improved sensitive data masking for cookies and assured higher accuracy for Path Traversal rules in Protect.
The team improved route-based coverage across the board to more accurately discover and observe routes for different routing configurations. They also fixed the following bugs:
Error logging bug when the agent had a problem discovering applications hosted on IIS
The agent could produce an invalid IL code for applications that were re-deployed dozens and dozens of times without a server restart.
The Contrast .NET Core agent now supports Linux (Ubuntu, Debian, openSUSE)! See https://docs.contrastsecurity.com/installation-netcoresupport.html
The team also added a feature to capture and report the HTTP POST body for vulnerabilities and attacks.
The Node team is pleased to announce full support for NodeJS version 12 LTS.
The team also implemented route-based auto-verification (RBAV) functionality for the agent. RBAV will be fully released and functional when our main products also complete server implementation for route-based auto-verification.
We fixed how Assess reports relevant findings from malicious cookies for the Koa framework.
The Ruby team focused on language compatibility to ensure the agent adheres to best practices and works alongside common dependencies. In particular, the team addressed an incompatibility with FactoryBot, allowing the agent to run with the gem installed. The team also fixed an incompatibility with the 2.6 base image on Heroku, so the agent can once again be installed in that environment.
In addition, updates to Contrast Service runner assure startup in all supported installations, as well as improved interoperability for applications running in multiple processes.
The team also implemented route-based auto-verification (RBAV), slated for full release later this year.
The Python team released the Python Assess beta and continues to add features and stability improvements.
The team also improved the agent’s SQLAlchemy support and request body handling. The agent now logs its configuration and log file locations to stdout on initialization. The team fixed several issues surrounding its communication with the Contrast Service, enabling the agent to use the latest version of the Service (2.3.0) by default.
Additional improvements include PyCassa support for SQL injection and updates to internal testing and packaging.
Jira integrations allow you to set standards for application importance levels as well as specific application names.
Settings for time-based auto-remediation policy and administrator approval to close vulnerabilities have moved from your Organization Settings to a new Vulnerability Management page within Policy Management.
A Contrast plugin for the 2019 version of the Visual Studio IDE lets you see a list of vulnerabilities and details on each one, such as remediation guidance, directly in the IDE as Contrast discovers security flaws in your applications.
Contrast will import library cache data in the background rather than block start up to import. This results in a faster startup time; however, Contrast will not display library data until the import task is done.
For Assess, the Java team added coverage for java.util.Scanner APIs and java.net.URL#openStream. We fixed a library reporting issue in Assess that would cause previously reported libraries to disappear. The agent now recognizes the OWASP Encoder project's JSP tags as valid security controls. The agent no longer reports anti-clickjacking and anti-caching vulnerabilities for requests for font files, or XSS vulnerabilities in request for PDF files.
For Protect, the agent can better detect and block commands started from OGNL expressions. Protect rules can now detect attacks when the input is base64 encoded. We also improved the accuracy of the Protect EL Injection rule to not block attacks where
java.lang.Class is used only to obtain the simple name via #getSimpleName.
Lastly, we improved error reporting in agent initialization when unable to access the temporary directory, and added the port to reporting of HTTP requests in J2EE applications.
The team added the ability to filter which applications in IIS will be analyzed via the
application_whitelist configuration settings. We improved performance of Protect analysis under CLR2 as well as accuracy of Assess propagation starting with the HttpRequest.Uri source. We also fixed a bug where the agent didn't properly handle NGEN assemblies.
The team fixed several bugs that could prevent certain instrumented applications from initializing or starting correctly.
The Node team completed the following bug fixes:
We also added a note in the agent's troubleshooting README for installing the agent when running on Alpine, and did some internal code cleanup and testing improvements.
For much of the October release, the Ruby team focused on performance improvements in the agent, particularly around startup, patching, and interpolation detection. The agent now has a more lightweight impact while patching. We also made substantial changes to how we track dataflow through interpolation events by relying on C patching and AST rewriting as opposed to code rewriting. These changes contributed to the performance and stability of the agent as a whole.
The Python team implemented more robust handling of cases in which requests have been read by other middlewares higher in the stack, and made improvements to route coverage and agent logging. We fixed an issue related to the handling of binary data in responses from applications. We also made updates to the agent README, and did some internal code cleanup and testing.
Use your application's flow map to see where data from your application connects it to back-end systems and other applications in your organization. Every time you exercise your application, the Contrast agent reports information to the Contrast UI about new back-end systems and applications - no extra configuration required. To see the latest connections, go to your application's new Flow Map tab.
Contrast's sensitive data masking feature protects sensitive data in your applications by redacting it in Contrast vulnerability and attack reports that are sent to the Contrast UI, syslog or security log. All Contrast agents apply data masking for critical data types to all applications by default. To see each of the data types and add custom criteria for your organization, go to the user menu > Policy Managment > Sensitive Data tab in the UI.
Set up Contrast's new PagerDuty integration to receive attack notifications outside of the UI. Each notification automatically provides details on the attack, including the application, server and source IP involved. Go to the user menu > Organization Settings > Integrations tab to connect your PagerDuty account to your Contrast organization.
The Java team improved the accuracy and performance of instrumentation for String replacement operations. We also enhanced the Protect Command Injection Rule so that it can block commands that attempt to use dangerous path arguments such as
The .NET team improved accuracy of Assess SQL-Injection against EF-Core, the Protect XSS rule, and handling of odd URLs when deciding whether or not to analyze events during servicing of a request. We also fixed several bugs that could result in warnings in agent log files.
For the .NET Framework agent, the team implemented beta support for a Protect Cross-Site Request Forgery rule, and extended the Protect Unsafe File Upload rule to handle file uploads under Web API applications. We also fixed the following bugs:
For the .NET Core agent, the team implemented the Protect Unsafe File Upload rule.
The Node team released Beta support for the Kraken.js web framework. We updated our internal logging to standardize reporting at non-DEBUG levels. We closed a defect where an application without a valid license in Protect mode would fail to start. An unlicensed application in Protect mode will now start with a log indicating that Protect mode is disabled due to a lack of licenses. The team resolved an issue where the Unsafe File Upload rule in the Hapi 17 framework wouldn't have the correct HTTP request context. Finally, we updated our internal test suite to include the Ubuntu Alpine image.
The Ruby team updated the agent to use Contrast Service for input analysis of attack vectors. This update provides more consistent rule implementation for Protect rules as well as REP support during input analysis, while also providing more performance and requiring fewer resources on the instrumented application. We also continue to implement performance improvements in the Ruby Assess agent by implementing more granular marking of rewritten Ruby modules and preventing multiple attempts at rewriting a file. The agent now also limits the context where a propagation node needs to be copied.
The Python team continues to work towards the Beta release of the Python Assess agent. In September, the Python team finalized support of the Pylons framework. The agent now has standard behavior of logging at non-DEBUG levels, and no longer reports deprecation warnings due to a escaped regular expression pattern. Finally, the python agent now supports the Contrast Service executable in read-only environments.