42Crunch Platform release, July 16, 2024

This 42Crunch API Security Platform release introduces a v1-compatible mode to API Conformance Scan v2, a new setting to security quality gates (SQGs), and new x-42c vendor extensions for API Firewall.

New features

The following are the new features and improvements to the existing ones in this release.

Scan v2 in v1-compatible mode

This applies to Scan v2 only.

You can now run the new Scan v2 engine in v1-compatible mode to provide a smoother transition from Scan v1 to Scan v2:

  • Get better scanning capabilities, better accuracy, and improved scan reports of Scan v2, but with the familiar Scan v1 experience.
  • Run scans with the v2 engine in 42Crunch Platform, in addition to on-premises scans in Docker.
  • Use customizations defined as scan rules in the platform in your scans.
  • Keep your automation consistent: after creation, the scan configuration is read-only, which safeguards against unplanned changes that could jeopardize your workflows and cause inefficiencies or setbacks.

When you run Conformance Scan in the platform, you can now choose which you want to run: Scan v1 or Scan v2 in v1-compatible mode. The new scan v2 engine keeps running the tests introduced to Scan even when running in v1-compatible mode.

This is the first iteration of the compatibility mode. We will continue to improve it in next releases and would welcome your feedback on how to make it work better for you.

For more details, see Scan v2 in v1-compatible mode.

In addition, Scan v2 now includes Accept headers into each request it sends that are associated with an operationID defined in the OpenAPI definition of the API. If you have defined custom requests in your scan configuration, make sure they are associated with an operationID, otherwise the scan omits the Accept headers for these requests.

More control over SQG criteria

We have added a new setting for SQGs that lets organization administrators to choose SQGs that they have created to override the default SQG.

  • Allow certain specific SQGs to override the quality criteria from the default SQG, but keep combining criteria on other SQGs.
  • Choose case-by-case which criteria take precedence rather than one-size-fits-all.

The organization setting for combining criteria takes precedence over the setting on individual SQGs: if you do not allow combining SQG criteria from default and tag-based SQGs of the same type, this new setting has no effect.

For more details, see Manage handling of criteria from default and tag-based SQGs.

New x-42c vendor extensions for API Firewall

We have added two new x-42c vendor extensions to the OpenAPI Specification (OAS) for API Firewall. These extensions do not apply additional protections, instead they modify how API Firewall behaves:

  • x-42c-forward-options: Set API Firewall to allow OPTIONS requests to pass through to the protected API, to simplify handling of cross-origin resource sharing (CORS).
  • x-42c-caseless-paths: Set API Firewall to treat file paths in your API as caseless (not case-sensitive) if your API exposes file paths from a system where paths are caseless instead of case-sensitive.

For more details, see x-42c extensions for API Protection and API Firewall.

Other improvements

You can now see in the list of your API and IDE tokens when was the last time each token was used or if they have not been used at all. This lets you remove unused tokens to minimize the unnecessary risk of compromising those tokens, and this also allows you to quickly check if a compromised token has been used. The timestamps are checked every 24 hours. For more information on tokens, see Tokens.

We have also improved the generation of PDF files.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • 42crunch/apifirewall:v1.1.3
    • Support for x-42c-forward-options and x-42c-caseless-paths
    • Fixed serialization when validating path parameters in the OpenAPI definition that have oneOf or anyOf
    • Upgrade to httpd-2.4.61 (CVE-2024-39884, CVE-2024-36387, CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573)

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/apifirewall:v1.1.2
    • Fixed schema validation of a nullable value when the value is null
  • 42crunch/apifirewall:v1.1.1
    • Upgrade to httpd-2.4.59 (CVE-2023-38709, CVE-2024-24795, CVE-2024-27316, CVE-2023-45802, CVE-2023-43622)
    • Upgrade to openssl-3.1.6 (CVE-2024-2511, CVE-2023-5678, CVE-2024-0727)
    • Support for the custom blocking mode
    • Fixed handling of query parameters when the property required is not explicitly defined
  • 42crunch/apifirewall:v1.0.25
    • Upgrade to go-1.21.1 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Upgrade to openssl-1.1.1w (CVE-2023-4807, CVE-2023-3817, CVE-2023-3446)
  • 42crunch/apifirewall:v1.0.24
    • Upgrade to httpd-2.4.57 (CVE-2023-25690, CVE-2023-27522)
    • Upgrade to openssl-1.1.1u (CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464)
    • Support for multiple API key security schemes with the same name
    • Fixed the handling of content media-type declared as opaque string in response validation
    • Fixed request body handling when API Firewall is set to non-blocking mode.
    • Obfuscated headers (except Host) in transaction logs when the targeted API is unknown
    • New versions of JWT validation protections (x-42c-jwt-validation-ec_0.2, x-42c-jwt-validation-rsa_0.2, x-42c-jwt-validation-hmac_0.2)
      • Validating the scope claim of OAuth2 JWT tokens
      • Connecting to the JWKS server through a remote forward proxy
  • 42crunch/apifirewall:v1.0.23
    • Health check over SSL
    • The environment variable PLATFORM_HOST
    • Fixed the handling of multipart/form-data requests
    • Upgrade to openssl-1.1.1t
    • Upgrade to httpd-2.5.55
    • Upgrade to apr-util-1.6.3
  • 42crunch/apifirewall:v1.0.22
    • Fixed JWT signature validation
    • Allowed plain string content definition
    • Upgrade to openssl-1.1.1s
    • Upgrade to libexpat 2.5.0
    • Upgrade to libapreq 2.17
    • Upgrade to libjansson 2.14
    • Upgrade to libjose 11
    • Upgrade to libmaxminddb 1.7.1
  • 42crunch/apifirewall:v1.0.21
    • Fixed content handling in non-body parameters
    • HTTP status response code synchronization with Conformance Scan default expectations
  • 42crunch/apifirewall:v1.0.20
    • Upgrade to openssl-1.1.1o (CVE-2022-2274, CVE-2022-2097)
    • Fixed decreasing the number of active instances when firewall shuts down abruptly
  • 42crunch/apifirewall:v1.0.19
    • Upgrade to httpd-2.4.54 (CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813)
  • 42crunch/apifirewall:v1.0.18
    • Upgrade to openssl-1.1.1o (CVE-2022-0778, CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473)
    • Proper handling of the properties readOnly and writeOnly from the OpenAPI Specification (OAS) in schemas

All previous image versions have been deprecated and are no longer supported.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

Conformance Scan images

This release is compatible with the following Conformance Scan images for running it on-premises.

Scan v2

  • 42crunch/scand-agent:v2.0.9
    • Scan v2 in v1-compatible mode
    • Support for Accept headers
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.0.8
    • New test path-item-method-not-allowed-no-authn-scan
    • Support for apiConnectivityCheck, maxTimeoutRetryAttempts, and requestHeaderNameRequestType
    • Fixed implementation of reportIncludeRequestBody and reportIncludeResponseBody
    • Fixed handling of lookahead and lookbehind assertion references in regular expressions
  • 42crunch/scand-agent:v2.0.7
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v2.0.6
    • Lax testing mode
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v2.0.4
    • Numeric values exceeding the limits of float64 presented as strings
  • 42crunch/scand-agent:v2.0.3
    • Upgrade to Golang 1.21.5 (CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-45283)
    • New scan report
    • Tests parameter-header-contenttype-wrong-scan and partial-security-accepted
    • Support for reportIncludeRequestBody, reportIncludeResponseBody, reportMaxRequestSizeHappyPath, reportMaxRequestSizeTest
    • Improved logging for runtime limit
    • Heartbeat check

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • 42crunch/scand-agent:v1.22.17
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)

We highly recommend that you switch to the latest version to take the full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.22.16
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v1.22.15
    • Fixed handling of query parameters in request generation
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v1.22.14
    • Upgrade to Golang 1.21.5 (CVE-2023-39326, CVE-2023-45283)
  • 42crunch/scand-agent:v1.22.13
    • Upgrade to Golang 1.21.3 (CVE-2023-45284, CVE-2023-45283)
    • Heartbeat check to keep the connection to 42Crunch Platform active in case of extremely long scans
    • Fixed handling of example and x-42c-sample
  • 42crunch/scand-agent:v1.22.12
    • Support for text/plain as content type
    • Support for read-only properties
  • 42crunch/scand-agent:v1.22.11
    • Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Fixed handling of < and > characters in the request payload
    • Improved handling of content not supported by Conformance Scan
  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration

All previous image versions have been deprecated and are no longer supported.

Changed behavior

We have updated the library that 42Crunch Platform uses for regular expressions to PCRE2. Depending on your API, this may cause API Security Audit to raise new issues with regular expressions, such as patterns previously considered to be fine no longer being valid PCRE regular expressions due to fixes and improvements to the library itself.

Known issues

This release has the following known issues.

Only reference scan configuration shows SQG status in the scan report

Currently, the scan report summary shows the SQG status for only on the report of the reference scan configuration. When viewing other reports, the scan summary incorrectly shows that the API would not have any SQGs applied to it. However, SQGs are still being correctly applied and the SQG status correctly shown for each report in the list of scan reports.

This will be fixed in a future release.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that Conformance Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of Conformance Scan and scan rules in these cases, and this issue will be fixed in a future release.