Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
About CyberRes Fortify Software Security Research
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,220 vulnerability categories across 30 languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2022.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
Fortify Secure Coding Rulepacks [SCA]
With this release, the Fortify Secure Coding Rulepacks detect 1,000 unique categories of vulnerabilities across 30 programming languages and span over one million individual APIs. In summary, this release includes the following:
.NET improvements (version supported: 6.0)
.NET is a general programming platform that enables programmers to write code in languages such as C# and VB.NET with a standardized set of APIs. This release increases our coverage to the latest version of .NET to improve dataflow, as well as expand API coverage for the following categories:
ASP.NET Core improvements (version supported: 6.0)
ASP.NET Core is the flagship web framework for use with .NET. The framework includes functionality to create many types of applications including MVC web applications and Web APIs. This release increases our coverage to the latest version of ASP.NET Core, including minimal APIs, and expands our supported categories to include:
Weak Cryptographic Implementation
Psychic Signatures (CVE-2022-21449) is a weakness in the Java implementation of the Elliptical Curve Digital Signature algorithm (ECDSA). This weakness allows an attacker to force the application to accept an all-zeros digital signature as valid. Vulnerable versions of Java include: 15, 16, 17, and 18. If a vulnerable version of Java is used, an attacker can forge some types of SSL certificates, signed JSON Web tokens, or even WebAuthn authentication messages. This release adds support to report Weak Cryptographic Implementation in Java.
Jakarta EE support (version supported: 9.0.0)
Jakarta EE provides a vendor neutral, and open, comprehensive set of specifications in the form of an open-source framework used to develop cloud native Java applications. It was previously known as Java EE (or J2EE), which was one of the most recognizable frameworks for server-side Java. This release adds improvements to existing Java EE coverage spanning 52 weakness categories.
Secret scanning improvements
Secret scanning is a technique for searching and detecting secrets in source code and configuration files. Sometimes configuration files that contain passwords or API tokens can accidentally be leaked to source code repositories. This release includes support for common password hash formats. Coverage includes identification of common password hash formats and secrets in configuration files for products including the following: OpenVPN, Windows Remote Desktop, netrc, IntelliJ IDEA, DBeaver, FileZilla, Heroku, and DigitalOcean doctl.
Enhanced coverage is provided for the following categories:
Express JS improvements (version supported: 4.x)[1]
Express is a framework for building web applications with Node.js. It provides functionality for routing, error handling, templating, middleware management, and HTTP-related utilities.
In this release, we improved support for Express 4.x for the following categories:
JavaScript Handlebars (version supported: 4.7.7)
Handlebars is a JavaScript library designed for making reusable web templates. These templates are a combination of HTML, text, and expressions. Expressions are embedded directly in the HTML code and serve as a placeholder for content that is to be inserted by code, thus making the document easily reusable.
In this release, we have added support for Handlebars 4.7.7, improved dataflow coverage, and expanded API coverage for the following categories:
JavaScript Mustache (version supported: 4.2.0)
Mustache is an open-source logic-less template system that provides templates and views as the basis for creating dynamic templates. Templates contain the presentation format and code, whereas views contain the data to be included in the templates.
In this release, we have added support for Mustache 4.2.0 to identify Template Injection weaknesses.\
GraphQL.js (version supported: 16.5.0)
GraphQL.js is the JavaScript reference implementation for GraphQL and is widely used in JavaScript applications. This release adds initial GraphQL server support to detect the following weakness categories in GraphQL APIs:
Graphene-Python (version supported: 3.0.0)
Python-Graphene is a popular GraphQL server framework for Python applications. This release improves upon our GraphQL server support from 2022.1.0 to detect the following weakness categories in GraphQL APIs:
Cloud Infrastructure as Code
Infrastructure as Code (IaC) is the process of managing and provisioning computer resources through code rather than various manual processes. This release adds expanded support for IaC. Technologies supported include Ansible configurations for deployment to Azure and AWS and Terraform configurations for deployment to Azure and GCP. Common issues related to the configuration of the services mentioned are now reported to the developer.
Terraform configurations:
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state.
Terraform providers support the configuration and management of Microsoft Azure infrastructure. In this release, we report the following categories for Microsoft Azure services Terraform configurations:
Terraform providers support the configuration and management of Google Cloud Platform (GCP) infrastructure. In this release, we report the following categories for Google Cloud Platform Terraform configurations:
Ansible configurations:
Ansible is an open-source automation tool that provides configuration management, application deployment, cloud provisioning, and node orchestration to various environments.
Ansible includes modules that support the configuration and management of Amazon Web Services (AWS). In this release, we report the following categories for AWS Ansible configurations:
Ansible also includes modules that support the configuration and management of Microsoft Azure Cloud Computing Services. In this release, we report the following categories for Microsoft Azure Ansible configurations:
Miscellaneous errata
In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Log4j (version supported: 2.17)
Support for Log4j now includes detection of a new category, Denial of Service: Stack Exhaustion.
Oslo.config (version supported: 8.8.0)
Initial support for oslo.config for Python includes detection of a new category, Privacy Violation: Unobfuscated Logging.
Objective-C error fixes and performance improvements
Customers who scanned their projects that include Objective-C files using the 2022R1 rulepacks might have encountered the following problems:
An Objective-C hotfix rulepack was provided to the affected customers to address those issues. The same fix is included in this official R2 release. Customers who were using the hotfix rulepack should remove the hotfix rulepack upon updating to the R2 release rulepacks.
False Positive improvements:
Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:
Fortify SecureBase [Fortify WebInspect]
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Vulnerability Support
OGNL Expression Injection: Double Evaluation
A critical OGNL Expression Injection vulnerability identified by CVE-2022-26134 affects Atlassian Confluence Server and Data Center. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable applications. The affected versions of Confluence Server and Data Center are from 1.3.0 to 7.4.16, from 7.13.0 to 7.13.6, from 7.14.0 to 7.14.2, from 7.15.0 to 7.15.1, from 7.16.0 to 7.16.3, from 7.17.0 to 7.17.3, and 7.18.0. This release includes a check to detect this vulnerability in affected Confluence and Data Center servers.
Dynamic Code Evaluation: Code Injection
Spring Framework by Pivotal has been found to be vulnerable to a remote code execution (RCE) vulnerability identified by CVE-2022-22965. A remote attacker can supply specially crafted request parameters that can lead to arbitrary code execution. This release includes a check to detect this vulnerability in web applications with affected Spring Framework versions.
Insecure Deployment: OpenSSL
OpenSSL, a popular crypto library widely used to support SSL/TLS connections, has been found to be vulnerable to a denial-of-service (DoS) vulnerability identified by CVE-2022-0778. It is possible to trigger an infinite loop DoS on the affected system by crafting a certificate that has invalid explicit elliptic curve parameters. This release includes a check to detect the CVE-2022-0778 vulnerability on target web servers. Because this check has the potential to cause a DoS condition on the affected system that results in it becoming unavailable for service, this check is not included in the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.
Miscellaneous errata
In this release, we have continued to invest resources to reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:
Password Management: Weak Password Policy
This release includes minor improvements for the password policy check where password/username fields are recognized with improved accuracy when input type is a text box.
Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Fortify Support Portal.
Contact Fortify Technical Support
CyberRes Fortify
http://softwaresupport.softwaregrp.com/
+1 (844) 260-7219
Contact SSR
Alexander M. Hoole
Senior Manager, Software Security Research
CyberRes Fortify
hoole@microfocus.com
+1 (650) 258-5916
Peter Blay
Manager, Software Security Research
CyberRes Fortify
peter.blay@microfocus.com
[1] Requires SCA version 22.1.1