42Crunch Platform release, July 28, 2022

This 42Crunch API Security Platform release provides a faster way to find your active API Firewall instances, expiration dates to API tokens, and improves the integration with third party solutions.

New features

The following are the new features and improvements to the existing ones in this release.

New view for API Firewall instances

You can now get to all your active API Firewall instances directly from the main menu of the platform.

  • See all API Firewall instances at one glance, no need to navigate to different APIs first.
  • Quickly check the status of the instances:
    • Green means running normally, no problems detected.
    • Red means the instance is unreachable and 42Crunch Platform cannot verify its state.
  • Get to security dashboard and transaction logs faster simply by clicking the deployment name.

The screenshot shows two firewall instavces listed. The first one is marked red, meaning that it is not currently available for the platform. The second instance is marked green, meaning that the platform can reach that instance.

For more details, see View security dashboards.

This view is currently available as a beta for organization administrators, and its development is still ongoing, some data might not yet be visible on your instances. However, all data is still available the same way as before.

Expiration date for API tokens

For security reasons, we have now added expiration date for API tokens.

  • New API tokens expire after one month by default, but you can also set a different expiry date.
  • Old API tokens remain unchanged.

For more details, see Tokens.

Improvements in Conformance Scan

We have improved the support for tokens when configuring the authentication details that Conformance Scan should use when it authenticates to scan your APIs.

The scan report that Conformance Scan produces now also shows what version of the scan engine generated the report, both when running the scan on premises and on the platform.

An example of a scan report

In addition, we have fixed two bugs when running Conformance Scan on premises:

  • Previously, in some cases 42Crunch Platform failed to load the report from an on-premises scan and the scan status on the API summary tab was not shown. This has now been fixed.
  • Conformance Scan run on-premises no longer ignores the default scan customization rule of the organization but properly applies it when scanning APIs.

Other improvements

There have also been other smaller improvements and fixes:

  • All security quality gates (SQGs) now clearly indicate their type directly in the SQG list.

    The screenshot shows the default security quality gate in its default configuration.

  • We have fixed a bug in percentage calculation in the diagram for severity of audit issues in executive dashboard for Security Audit that caused some metrics to show incorrectly.

View your APIs and API collections in your IDE

In addition to running security audit, you can now increase the integration with 42Crunch Platform in Visual Studio Code (VS Code) and JetBrains IntelliJ IDEA and view APIs and API collections available to you in your IDE. You can also, for example, rename or delete APIs directly from the editor.

Creating API tokens requires a user account in 42Crunch Platform. If you have so far just used the token that was mailed to you when you first run Security Audit in the IDE, you must sign up for an account before you can configure the integration for viewing the APIs and API collections in your IDE.

Fore more details, see:

Fixes and improvements to documentation for Kubernetes Injector for API Firewall

We have improved the instructions on how to use Kubernetes Injector to automate deploying API Firewall instances to your Kubernetes ecosystem.

For more details, see Kubernetes Injector for API Firewall.

Changed behavior

  • From this release onwards, versioning for Conformance Scan no longer follows the platform versioning.
    • When on-premises can starts, you may now see different version from the platform than the Docker image that you are running.
    • The compatibility information in release notes is retained. You should always check which images for on-premises scan are compatible with your platform.
  • Auditors can now see all APIs — not just APIs in the collections shared with them — when thy use Find API, just like organization administrators.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly.
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas.
  • 42crunch/apifirewall:v1.0.17
    • Upgrade to httpd 2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
  • 42crunch/apifirewall:v1.0.16
    • Fixed parsing multipart/form-data.
    • Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
    • Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
  • 42crunch/apifirewall:v1.0.13
    • Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790).
    • Upgrade to openssl 1.1.1m.
    • Various small improvements.
  • 42crunch/apifirewall:v1.0.12
    • Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
    • Improved matching to allow filtering API calls by IP or network addresses.
    • Fixed setting the request path when $TARGET_URL contains a basepath.
    • Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
  • 42crunch/apifirewall:v1.0.11
    • GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
    • Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
  • 42crunch/apifirewall:v1.0.10
    • Fixed cookie attribute parsing in responses.
    • Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
    • Updated platform CA chain.
  • 42crunch/apifirewall:v1.0.9-1
    • Fixed handling UTF-8 patterns in JSON schemas.
    • Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
    • Updated platform CA chain.

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

  • 42crunch/scand-agent:v1.21.1
    • Fixed a bug in applying the default scan customization rule of the organization.
  • 42crunch/scand-agent:v1.20.2
    • Internal cleanup and refactoring.
  • 42crunch/scand-agent:v1.20.1
    • Percentages in the filter bar of the scan report.

All previous image versions have been deprecated and are no longer supported.

Deprecated components

The following have been deprecated and will be removed in the future.

Deprecated Conformance Scan images

The following versions of the 42crunch/scand-agent Docker image have been deprecated and will be removed in October 2022:

  • 42crunch/scand-agent:v1.19.3
  • 42crunch/scand-agent:v1.19.2
  • 42crunch/scand-agent:v1.18.0
  • 42crunch/scand-agent:v1.17.0
  • 42crunch/scand-agent:v1.16.1
  • 42crunch/scand-agent:v1.16.0
  • 42crunch/scand-agent:v1.15.0
  • 42crunch/scand-agent:v1.14.1

See Deprecated API Conformance Scan images.

Known issues

This release has the following known issues.

Occasional issues with displaying some API, API collection, and collection dashboard details

There are some occasional issue with how APIs, API collections, and dashboards are displayed:

  • If you have more than one API collection and you go view an API, occasionally the API you previously viewed is shown.
  • If you go to view an API by searching, the details on the API summary tab can misappropriate the API to an API collection you viewed previously.
  • If you have very many APIs in one API collection and you go view the collection dashboard, the names of the APIs are not shown on the charts.
  • APIs that have not yet been scanned are shown in the API Conformance Scan chart in API collection, which may give the wrong impression that scan did not find any issues in them.

These issues are related merely to how the data is shown on the UI, and the underlying data in the backend is still correct. The issues do not happen consistently, and we are currently investigating them further. They will be fixed in a future release.

SQG status not updating on the API summary page

When there are changes to the SQGs applied to an API, for example, you tag the API to apply a new SQG, the SQG status on the audit report is correctly updated, but the API summary tab still shows the previous SQG status. When you rerun the audit, the status on the API summary tab is correctly updated.

In some circumstances the audit score badge shown on the API summary tab is not correctly updated to match the status of the audit SQGs passing or failing. This issue does not happen consistently, and we are currently investigating it.

These will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team. Note that auditors themselves never get read/write access to any APIs or API collections shared with their team.

Auditors cannot view the executive dashboards.

These will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it. In addition, in some cases the input validation on the UI can behave unexpectedly.

These will be fixed in a future release.

YAML conversion shown regardless of the format of API definition

Converting API format currently shows as "Convert to YAML" regardless of the format (JSON or YAML) of your API definition. However, despite the text shown, your API is correctly converted from JSON to YAML or from YAML to JSON.

This will be fixed in a future release.

Limited sharing not possible when importing APIs

Users who only have the permission to share API collections with named users and teams cannot share API collections they create when importing APIs. They can, however, share them as per usual after completing the import.

This will be fixed in a future release.

Automatic sharing with everyone not possible for new SSO users

Currently, the sharing permissions for new users onboarded to 42Crunch Platform through single sing-on (SSO) integration are automatically set to sharing only with named teams and users. If you want to allow the users to share with everyone in your organization, you must enable it in the user permissions. The permissions of existing users in your organization have been retained as they were.

This will be fixed in a future release.

Conformance Scan string limits may conflict with minLength or maxLength values

By default, Conformance Scan limits the maximum length for strings in the requests it sends during the scan to 4096. If the properties minLength or maxLength or the length limits in a regular expression that you have defined for an API operation in your API definition conflict with this limit, it causes issues during the scan.

If the minimum length required is longer than the string length limit allowed in Conformance Scan, the scan cannot create the happy path request for that operation to establish a baseline. If the maximum length allowed in the API is longer than the allowed string length limit in Conformance Scan, the scan can create the happy path request but not the actual request during the scan.

In both cases, the operation is shown as a skipped operation in the scan report, but for different reasons. You must fix the operation in your API definition before it can be successfully scanned.

Regular expression lookaheads may cause issues

If your API definition has regular expressions with either positive or negative lookaheads defined, these may cause weird behavior, for example, in Conformance Scan.