CyberRes Fortify Software Security Content 2022 Update 2

0 Likes

About CyberRes Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,220 vulnerability categories across 30 languages and spans more than one million individual APIs.

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2022.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

Fortify Secure Coding Rulepacks [SCA]

With this release, the Fortify Secure Coding Rulepacks detect 1,000 unique categories of vulnerabilities across 30 programming languages and span over one million individual APIs. In summary, this release includes the following:

.NET improvements (version supported: 6.0)

.NET is a general programming platform that enables programmers to write code in languages such as C# and VB.NET with a standardized set of APIs. This release increases our coverage to the latest version of .NET to improve dataflow, as well as expand API coverage for the following categories:

  • Access Control: Database
  • Path Manipulation
  • Privacy Violation
  • Server-Side Request Forgery
  • SQL Injection
  • System Information Leak: External
  • Weak Cryptographic Hash: Insecure PBE Iteration Count
  • Weak Encryption: Insecure Mode of Operation

ASP.NET Core improvements (version supported: 6.0)

ASP.NET Core is the flagship web framework for use with .NET. The framework includes functionality to create many types of applications including MVC web applications and Web APIs. This release increases our coverage to the latest version of ASP.NET Core, including minimal APIs, and expands our supported categories to include:

  • .NET Attribute Misuse: Authorization Bypass
  • ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection
  • ASP.NET Middleware Out of Order: Default Cookie Configuration
  • ASP.NET Middleware Out of Order: Insecure Transport
  • ASP.NET Middleware Out of Order: Insufficient Logging
  • ASP.NET Misconfiguration: Insecure Transport
  • Cookie Security: Missing SameSite Attribute
  • Cookie Security: Overly Permissive SameSite Attribute

Weak Cryptographic Implementation

Psychic Signatures (CVE-2022-21449) is a weakness in the Java implementation of the Elliptical Curve Digital Signature algorithm (ECDSA). This weakness allows an attacker to force the application to accept an all-zeros digital signature as valid. Vulnerable versions of Java include: 15, 16, 17, and 18. If a vulnerable version of Java is used, an attacker can forge some types of SSL certificates, signed JSON Web tokens, or even WebAuthn authentication messages. This release adds support to report Weak Cryptographic Implementation in Java.

Jakarta EE support (version supported: 9.0.0)

Jakarta EE provides a vendor neutral, and open, comprehensive set of specifications in the form of an open-source framework used to develop cloud native Java applications. It was previously known as Java EE (or J2EE), which was one of the most recognizable frameworks for server-side Java. This release adds improvements to existing Java EE coverage spanning 52 weakness categories.

Secret scanning improvements

Secret scanning is a technique for searching and detecting secrets in source code and configuration files. Sometimes configuration files that contain passwords or API tokens can accidentally be leaked to source code repositories. This release includes support for common password hash formats. Coverage includes identification of common password hash formats and secrets in configuration files for products including the following: OpenVPN, Windows Remote Desktop, netrc, IntelliJ IDEA, DBeaver, FileZilla, Heroku, and DigitalOcean doctl.

Enhanced coverage is provided for the following categories:

  • Key Management: Empty Encryption Key
  • Key Management: Hardcoded Encryption Key
  • Key Management: Null Encryption Key
  • Password Management: Hardcoded Password
  • Password Management: Password in Configuration File
  • Password Management: Weak Cryptography

Express JS improvements (version supported: 4.x)[1]

Express is a framework for building web applications with Node.js. It provides functionality for routing, error handling, templating, middleware management, and HTTP-related utilities.

In this release, we improved support for Express 4.x for the following categories:

  • Cookie Security: Missing SameSite Attribute
  • Cookie Security: Overly Permissive SameSite Attribute
  • Insecure Transport
  • Path Manipulation
  • Privacy Violation
  • Process Control
  • Setting Manipulation
  • System Information Leak: External

JavaScript Handlebars (version supported: 4.7.7)

Handlebars is a JavaScript library designed for making reusable web templates. These templates are a combination of HTML, text, and expressions. Expressions are embedded directly in the HTML code and serve as a placeholder for content that is to be inserted by code, thus making the document easily reusable.

In this release, we have added support for Handlebars 4.7.7, improved dataflow coverage, and expanded API coverage for the following categories:

  • Cross-Site Scripting: Handlebars Helper
  • Handlebars Misconfiguration: Escaping Disabled
  • Handlebars Misconfiguration: Prototypes Allowed
  • Log Forging
  • Log Forging (debug)
  • Privacy Violation
  • System Information Leak
  • Template Injection

JavaScript Mustache (version supported: 4.2.0)

Mustache is an open-source logic-less template system that provides templates and views as the basis for creating dynamic templates. Templates contain the presentation format and code, whereas views contain the data to be included in the templates.

In this release, we have added support for Mustache 4.2.0 to identify Template Injection weaknesses.\

GraphQL.js (version supported: 16.5.0)

GraphQL.js is the JavaScript reference implementation for GraphQL and is widely used in JavaScript applications. This release adds initial GraphQL server support to detect the following weakness categories in GraphQL APIs:

  • Cross-Site Scripting: Inter-Component Communication
  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Poor Validation
  • Cross-Site Scripting: Reflected
  • GraphQL Bad Practices: Introspection Enabled
  • GraphQL Bad Practices: GraphiQL Enabled
  • Privacy Violation
  • System Information Leak: External

Graphene-Python (version supported: 3.0.0)

Python-Graphene is a popular GraphQL server framework for Python applications. This release improves upon our GraphQL server support from 2022.1.0 to detect the following weakness categories in GraphQL APIs:

  • Cross-Site Scripting: Inter-Component Communication
  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Poor Validation
  • Cross-Site Scripting: Reflected
  • Privacy Violation
  • System Information Leak: External

Cloud Infrastructure as Code

Infrastructure as Code (IaC) is the process of managing and provisioning computer resources through code rather than various manual processes. This release adds expanded support for IaC. Technologies supported include Ansible configurations for deployment to Azure and AWS and Terraform configurations for deployment to Azure and GCP. Common issues related to the configuration of the services mentioned are now reported to the developer.

Terraform configurations:
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state.

Terraform providers support the configuration and management of Microsoft Azure infrastructure. In this release, we report the following categories for Microsoft Azure services Terraform configurations:

  • Azure Terraform Misconfiguration: Insecure App Service Transport
  • Azure Terraform Misconfiguration: Insecure CDN Endpoint Transport
  • Azure Terraform Misconfiguration: Insecure Function App Transport
  • Azure Terraform Misconfiguration: Insecure Logic App Transport
  • Azure Terraform Misconfiguration: Insecure MariaDB Transport
  • Azure Terraform Misconfiguration: Insecure MySQL Transport
  • Azure Terraform Misconfiguration: Insecure Network Monitor Transport
  • Azure Terraform Misconfiguration: Insecure PostgresSQL Transport
  • Azure Terraform Misconfiguration: Insecure Redis Cache Transport
  • Azure Terraform Misconfiguration: Insecure Spring Cloud Redis Transport
  • Azure Terraform Misconfiguration: Insecure Spring Cloud Transport
  • Azure Terraform Misconfiguration: Insecure Storage Account Transport

Terraform providers support the configuration and management of Google Cloud Platform (GCP) infrastructure. In this release, we report the following categories for Google Cloud Platform Terraform configurations:

  • GCP Terraform Bad Practice: Overly Permissive Service Account
  • GCP Terraform Misconfiguration: BigQuery Dataset Publicly Accessible
  • GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled
  • GCP Terraform Misconfiguration: Cloud KMS CryptoKey Publicly Accessible
  • GCP Terraform Misconfiguration: Cloud SQL Backup Disabled
  • GCP Terraform Misconfiguration: Cloud Storage Bucket Publicly Accessible
  • GCP Terraform Misconfiguration: Compute Engine Access Control
  • GCP Terraform Misconfiguration: Compute Engine Default Service Account
  • GCP Terraform Misconfiguration: Compute Engine Project-Wide SSH
  • GCP Terraform Misconfiguration: Google Project Network Access Control
  • GCP Terraform Misconfiguration: Insecure Cloud SQL Transport
  • GCP Terraform Misconfiguration: Insecure Load Balancer Transport
  • GCP Terraform Misconfiguration: Insufficient Cloud Storage Bucket Logging
  • GCP Terraform Misconfiguration: Insufficient GKE Cluster Logging
  • GCP Terraform Misconfiguration: Insufficient GKE Cluster Monitoring
  • GCP Terraform Misconfiguration: Insufficient VPC Flow Logging
  • GCP Terraform Misconfiguration: GKE Cluster Administrative Interface Access Control
  • GCP Terraform Misconfiguration: GKE Cluster Certificate-Based Authentication
  • GCP Terraform Misconfiguration: GKE Cluster Legacy Authorization
  • GCP Terraform Misconfiguration: GKE Cluster HTTP Basic Authentication
  • GCP Terraform Misconfiguration: GKE Container-Optimized OS Not In Use
  • GCP Terraform Misconfiguration: GKE Node Auto-Upgrade Disabled
  • GCP Terraform Misconfiguration: Weak Cryptographic Cloud DNS Signature
  • GCP Terraform Misconfiguration: Weak GKE Cluster Network Management
  • GCP Terraform Misconfiguration: Weak Key Management

Ansible configurations:
Ansible is an open-source automation tool that provides configuration management, application deployment, cloud provisioning, and node orchestration to various environments.

Ansible includes modules that support the configuration and management of Amazon Web Services (AWS). In this release, we report the following categories for AWS Ansible configurations:

  • AWS Ansible Misconfiguration: Amazon RDS Publicly Accessible
  • AWS Ansible Misconfiguration: Insecure CloudFront Distribution Transport
  • AWS Ansible Misconfiguration: Insufficient CloudTrail Logging


Ansible also includes modules that support the configuration and management of Microsoft Azure Cloud Computing Services. In this release, we report the following categories for Microsoft Azure Ansible configurations:

  • Azure Ansible Misconfiguration: Overly Permissive Azure SQL Database Firewall

Miscellaneous errata

In this release, we have continued to invest resources to ensure we can reduce the number of false positive issues and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

Log4j (version supported: 2.17)

Support for Log4j now includes detection of a new category, Denial of Service: Stack Exhaustion.

Oslo.config (version supported: 8.8.0)

Initial support for oslo.config for Python includes detection of a new category, Privacy Violation: Unobfuscated Logging.

Objective-C error fixes and performance improvements

Customers who scanned their projects that include Objective-C files using the 2022R1 rulepacks might have encountered the following problems:

  • During the scan phase, error messages in the form of “[error] Unexpected exception during dataflow analysis...” could appear in the SCA output or log files
  • Unusually long scan time in dataflow analysis, which could result in loss of dataflow issues

An Objective-C hotfix rulepack was provided to the affected customers to address those issues. The same fix is included in this official R2 release. Customers who were using the hotfix rulepack should remove the hotfix rulepack upon updating to the R2 release rulepacks.

False Positive improvements:

Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:

  • SQL Injection: iBatis Data Map - False positives prevented when literal '$' characters encountered
  • Password Management: Password in Configuration File - False positives prevented when value is a variable placeholder
  • NET MVC Bad Practices: Model With Required Non-Nullable Property - False positives prevented in C# ASP.NET applications when using [BindRequired] attribute
  • Often Misused: Authentication - False positives reduced in Java applications
  • XSS: Content Sniffing - False positives reduced in Java Spring applications
  • Privacy Violation - False positives reduced in .NET applications
  • SOQL Injection and SOSL Injection - Issues found by the semantic analyzer will now report with Low Fortify Priority Order

Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability Support

OGNL Expression Injection: Double Evaluation

A critical OGNL Expression Injection vulnerability identified by CVE-2022-26134 affects Atlassian Confluence Server and Data Center. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable applications. The affected versions of Confluence Server and Data Center are from 1.3.0 to 7.4.16, from 7.13.0 to 7.13.6, from 7.14.0 to 7.14.2, from 7.15.0 to 7.15.1, from 7.16.0 to 7.16.3, from 7.17.0 to 7.17.3, and 7.18.0. This release includes a check to detect this vulnerability in affected Confluence and Data Center servers.

Dynamic Code Evaluation: Code Injection

Spring Framework by Pivotal has been found to be vulnerable to a remote code execution (RCE) vulnerability identified by CVE-2022-22965. A remote attacker can supply specially crafted request parameters that can lead to arbitrary code execution. This release includes a check to detect this vulnerability in web applications with affected Spring Framework versions.

Insecure Deployment: OpenSSL

OpenSSL, a popular crypto library widely used to support SSL/TLS connections, has been found to be vulnerable to a denial-of-service (DoS) vulnerability identified by CVE-2022-0778. It is possible to trigger an infinite loop DoS on the affected system by crafting a certificate that has invalid explicit elliptic curve parameters. This release includes a check to detect the CVE-2022-0778 vulnerability on target web servers. Because this check has the potential to cause a DoS condition on the affected system that results in it becoming unavailable for service, this check is not included in the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.

Miscellaneous errata

In this release, we have continued to invest resources to reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:

Password Management: Weak Password Policy

This release includes minor improvements for the password policy check where password/username fields are recognized with improved accuracy when input type is a text box.

Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

Fortify Taxonomy: Software Security Errors

The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Fortify Support Portal.

Contact Fortify Technical Support

CyberRes Fortify
http://softwaresupport.softwaregrp.com/
+1 (844) 260-7219

Contact SSR

Alexander M. Hoole
Senior Manager, Software Security Research
CyberRes Fortify
hoole@microfocus.com
+1 (650) 258-5916

Peter Blay
Manager, Software Security Research
CyberRes Fortify
peter.blay@microfocus.com

PDF

[1] Requires SCA version 22.1.1

Comment List
Related
Recommended