42Crunch Platform release, August 31, 2022

This 42Crunch API Security Platform release lets you add a banner for sharing information directly on the platform landing page and introduces new parameter for the protections for JSON Web Token (JWT) validation.

New features

The following are the new features and improvements to the existing ones in this release.

Message banner on the landing page

Organization administrators can now define a custom message banner that is shown to all users in their organization on the landing page of 42Crunch Platform.

Provide useful information conveniently to all users in a single, easily found place.
Update the contents or remove the banner completely as needed.
Change the look of the banner to reflect your message, the type of information, or even just your company colors.
Include links to direct the users to additional information elsewhere.

The screenshot shows a sample custom banner visible at the top of the platform landing page.

For more details, see Add a message banner on the landing page.

New parameter to the JWT protections

You can now use the parameter jwk.cache.timeout to configure the timeout for how long the JSON Web Key (JWK) token is cached in the protections for JWT validation if you are retrieving the token from a JWK URI.

For more details, see JWT validation.

Improvements to describing your API and API collection naming conventions

If you have defined organization-wide naming conventions for APIs and API collections and want to provide additional information on them, you can now use a wider range of characters in the description field. This better allows using URLs to provide links outside 42Crunch Platform where users in your organization can learn more about your chosen naming conventions

For more details, see Define a naming convention for APIs and Define a naming convention for API collections.

Fix to scan customization rules

Previously, if you had defined a scan rule that skipped response body assessment, API Conformance Scan ignored this and performed response body assessment anyway. Now, Conformance Scan correctly respects your scan rules. For more information on scan rules, see Customizations

Other improvements

In addition, there are also some smaller improvements:

In some circumstances, the search words in the platform were still treated as case-sensitive and therefore not yielding correct search results. This has now been fixed so that search words provide matches regardless of differences in uppercase and lowercase letters.
The UI for adding format entries to data dictionaries has been refactored to resolve the issues with unexpected behavior in input validation.

Changed behavior

Auditors can now view the executive dashboards, just like organization administrators.

Compatibility

This section lists the compatible Docker images for some of the features of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

42crunch/apifirewall:v1.0.20
- Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
- Fixed decreasing the number of active instances when firewall shuts down abruptly.
42crunch/apifirewall:v1.0.19
- Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
42crunch/apifirewall:v1.0.18
- Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
- Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas.
42crunch/apifirewall:v1.0.17
- Upgrade to httpd 2.4.53 (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943).
42crunch/apifirewall:v1.0.16
- Fixed parsing multipart/form-data.
- Fixed rejecting requests that include a request body when the targeted API operation does not define a corresponding body.
- Upgrade to expat-2.4.4 (CVE-2022-23852, CVE-2022-23990).
42crunch/apifirewall:v1.0.13
- Upgrade to httpd-2.4.52 (CVE-2021-44224, CVE-2021-44790).
- Upgrade to openssl 1.1.1m.
- Various small improvements.
42crunch/apifirewall:v1.0.12
- Support for x-42c-access-control-based-on-ip-range_0.1 and x-42c-set-client-ip_0.1.
- Improved matching to allow filtering API calls by IP or network addresses.
- Fixed setting the request path when $TARGET_URL contains a basepath.
- Upgrade to Apache httpd 2.4.51 (CVE-2021-42013).
42crunch/apifirewall:v1.0.11
- GUARDIAN_BLOCKING_LEVEL and GUARDIAN_DEFAULT_API_BLOCKING_LEVEL environment variables.
- Upgrade to Apache httpd 2.4.50 (CVE-2021-41524, CVE-2021-41773).
42crunch/apifirewall:v1.0.10
- Fixed cookie attribute parsing in responses.
- Upgrade to Apache httpd 2.4.48 (CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438).
- Updated platform CA chain.
42crunch/apifirewall:v1.0.9-1
- Fixed handling UTF-8 patterns in JSON schemas.
- Upgrade to openSSL-1.1.1l (CVE-2021-3711, CVE-2021-3712).
- Updated platform CA chain.

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises:

42crunch/scand-agent:v1.22.1
- Fixed a bug in handling oneOf and anyOf.
42crunch/scand-agent:v1.22.0
- Fixed a bug in skipping response body analysis with scan rules.
42crunch/scand-agent:v1.21.1
- Fixed a bug in applying the default scan customization rule of the organization.
42crunch/scand-agent:v1.20.2
- Internal cleanup and refactoring.
42crunch/scand-agent:v1.20.1
- Percentages in the filter bar of the scan report.

All previous image versions have been deprecated and are no longer supported.

Deprecated components

There are no new deprecations in this release. For the list of current deprecations, see List of deprecated images and endpoints.

Known issues

This release has the following known issues.

Change in regular expressions breaks Safari support

The updated regular expressions used in the description fields of API and API collection naming conventions has temporarily broken the platform UI in Safari browsers.

This will be fixed in a future release. Other browsers work fine, so we recommend switching from Safari to a different browser for the time being.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.

Occasional issues with displaying some API, API collection, and collection dashboard details

There are some occasional issue with how APIs, API collections, and dashboards are displayed:

If you have more than one API collection and you go view an API, occasionally the API you previously viewed is shown.
If you go to view an API by searching, the details on the API summary tab can misappropriate the API to an API collection you viewed previously.
If you have very many APIs in one API collection and you go view the collection dashboard, the names of the APIs are not shown on the charts.
APIs that have not yet been scanned are shown in the API Conformance Scan chart in API collection, which may give the wrong impression that scan did not find any issues in them.

These issues are related to how the data is shown on the UI, and the underlying data in the backend is still correct. The issues do not happen consistently, and we are currently investigating them further. They will be fixed in a future release.

SQG status not updating on the API summary page

When there are changes to the SQGs applied to an API, for example, you tag the API to apply a new SQG, the SQG status on the audit report is correctly updated, but the API summary tab still shows the previous SQG status. When you rerun the audit, the status on the API summary tab is correctly updated.

In some circumstances the audit score badge shown on the API summary tab is not correctly updated to match the status of the audit SQGs passing or failing. This issue does not happen consistently, and we are currently investigating it.

These will be fixed in a future release.

Auditor can be made a team lead

Currently, organization administrators can make an auditor a team lead. As team leads, auditors can add and remove users in the team, which could affect who has access to API collections shared with the team. Note that auditors themselves never get read/write access to any APIs or API collections shared with their team.