Issued: November 1st 2024 (Eastern/U.S)
Customers running EOP should upgrade to version 3.11.8 or later before upgrading their Java agent to version 6.11 or later. This is due to a new feature enhancement which is discussed below. If customers upgrade their agent before upgrading EOP, they may see new middleware routes and a potentially significant change to their route coverage metrics. These routes are not intended to be presented in the UI as they will not influence the route coverage metric today. In EOP builds 3.11.8+, Contrast filters out these routes which is the intended behavior.
What did we build?
The Contrast Java Agent has been enhanced to instrument middleware components. This will reduce potential false positives that result in vulnerabilities being tied to routes rather than the middleware itself. Tying a vulnerability found in middleware to routes may have resulted in duplicate vulnerabilities.
Middleware components play an essential role in web applications by intercepting and processing requests before they reach servlets/controllers and by handling responses after servlets/controllers complete execution.
Why is this Important?
In prior agent versions, vulnerabilities tied to middleware could result in duplication, which increased the number of vulnerabilities that security teams needed to review. This results in wasted time, missed priorities, and inefficiency in remediation efforts. By instrumenting middleware, Contrast presents a single vulnerability rather than a list of duplicates, enabling more effective triage.
More Information on Middleware Instrumentation
If you have any additional questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at support@contrastsecurity.com.