Java/JVM agent releases
v1.17.1
2023-01-11
Improved
- We updated vulnerable libraries.
Fixed
- We fixed an issue with ZipFile monitoring in local files in OpenJDK versions 10 and later.
v1.17.0
2022-08-08
New
- IP blocking by country is now supported, see the ip groups page for more details.
Fixed
- Fixed a potential data race during system info collection on Windows.
v1.16.1
2022-05-27
Fixed
- We removed Route instrumentation that reported invalid route URLs referencing servlet class names.
- We fixed an issue where the agent failed to start on JRE 7 due to incompatible dependencies.
v1.16.0
2022-04-14
New
- JS Agent Subresource Integrity (SRI) support
Fixed
- CSP headers were included in responses with non-HTML content.
- The agent would cause 500 responses when a request contained a negative Content-Length header value, on Tomcat servers.
- The agent would fail to apply App Firewall checks when a request contained a negative Content-Length header value.
v1.15.2
2022-02-17
Fixed
- Fixed an issue where Routes were not reported correctly on Spring Framework versions 5.3 and above.
- Fixed an issue where JAR file paths were not parsed correctly on Windows systems, causing missing package information in the tCell UI.
v1.15.1
2022-02-08
Fixed
- The agent would stop sending events after an extended period of time or after heavy load.
- Memory leak was noticeable after several days of uptime.
v1.15.0
2022-01-25
New
- Log4J JNDI lookups blocked by default. To disable this feature, set the
block_log4shell_enabled
config file property or theTCELL_AGENT_BLOCK_LOG4SHELL_ENABLED
environment variable tofalse
.
Fixed
- Fixed an issue parsing cookie values in Jetty 9.3, Tomcat 7, and Wildfly 18+
- Upgraded Rust version for native library to 1.58.1 to remediate CVE-2022-21658.
v1.14.1
2021-11-04
Fixed
- jackson-databind and commons-io dependencies required upgrade due to CVE-2020-25649 and CVE-2021-29425 existing in prior version. However, those vulnerabilities do not apply to the agent.
- An empty multipart request body would cause App Firewall checks to fail on Wildfly, Undertow, and Jetty servers.
- Server Agent Details events failed to report framework information on Wildfly servers.
v1.14.0
2021-09-24
New
- Proxy support -- See Using the Rapid7 Collector as a proxy for tCell.
Fixed
- Redirect event request URLs did not include the host or scheme.
v1.13.1
2021-06-28
Fixed
- We fixed an issue where URIs in Local Files and OS Commands events were missing query string parameter names.
- We fixed an issue where remote addresses containing ports were not parsed correctly, which impacted policy enforcement.
- We fixed an issue where IPv6 addresses were not parsed correctly, which impacted policy enforcement.
- We fixed an issue where dot notation in App Firewall Blocking Rules JSON parameters was not parsed correctly, which impacted policy enforcement.
- We fixed an issue where request bodies were not inspected if the Content-Type included a character set.
v1.13.0
2020-10-05
New
- App Firewall Event Filtering using IP CIDR Ranges and IP Groups
v1.12.4
2020-09-28
Fixed
- Fixed an issue where the agent unnecessarily instrumented CGLIB Proxy classes, leading to application errors during some requests.
- Fixed an issue where log messages near the beginning of the agent lifecycle were missing.
- Fixed an issue where the agent failed to parse configuration files in UTF-8 BOM format.
v1.12.3
2020-09-03
New
- Added Wildfly 16-20 support.
Fixed
- Fixed an issue where a missing Secure Hash Algorithms (SHA) package digest led to an unknown version in the user interface.
Improvements
- Allowed JBoss instrumentation exclusion through configuration.
v1.12.2
2020-08-21
Fixed
- Fixed an issue where Route instrumentation could report an invalid HTTP method.
- Upgraded a Jackson dependency to remediate multiple CVEs.
- Fixed an issue where injected instrumentation code could result in a bytecode verification error.
- Fixed an issue where Apache Struts Route instrumentation throws a NullPointerException if an ActionConfig is registered with no name.
Improvements
- Improved logging around package information collection.
v1.12.1
2020-6-26
Fixed
- Fixed an issue where the default cache and logs directories were incorrect for Windows deployments.
v1.12.0
2020-6-23
New
- SHA256 file hashes are available to download for both the ZIP and TAR release archives. To download, add
.sha256
to either download link.
Improvements
- The tCell log line format changed slightly to include more precision in the timestamp. Timestamps are still valid ISO8601.
- Removed support for deprecated configuration properties
allow_unencrypted_appfirewall_payloads
andallow_unencrypted_appsensor_payloads
. These are superseded byallow_payloads
.
Known Issues
- Default cache and logs directories are incorrect for Windows deployments.
v1.11.2
2020-5-29
Fixed
- Fixed an issue where the agent loaded tCell classes unnecessarily and discarded them, leading to increased memory consumption, class loading contention, and increased garbage collection activity. This bug affects all prior versions since v1.8.0.
v1.11.1
2020-5-27
Fixed
- Fixed an issue where the agent could stop sending events if tCell servers became unavailable, and the agent previously sent events successfully.
- Fixed an issue where the agent could cache a large number of Local Files discovered paths, leading to increased memory consumption.
v1.11.0
2020-4-30
New
- TCELL_AGENT_CACHE_DIR environment variable support to allow specifying the tCell policy cache directory. See Server Agent Options for more details.
v1.10.0
2020-4-24
New
- Standard out logging. See the field
destination
underlogging_options
on the Server Agent Options page.
Improved
- The agent native library now ships outside the agent JAR files to avoid unpacking at runtime and requiring write access to the filesystem.
v1.9.1
2020-4-6
Fixed
- Fixed an issue with Application Routes instrumentation where app requests could fail in certain cases.
- Fixed an issue with Application Routes where a route with no HTTP method defined would not be reported correctly by the agent.
v1.9.0
2020-3-24
New
- Improved Application Routes: Better support for Spring request mappings and parameters.
Fixed
- Fixed various issues with OS Commands parsing on Windows.
Improved
- Local Files policy violation events now include whether the file existed at the time of access.
- Improved the performance of IP lookups in App Firewall blocking rules.
- Implemented a 2 MB maximum body size for event sending requests.
v1.8.3
2020-2-18
Fixed
- Fixed an issue where log statements below the configured log level were added to tCell instrumented classes.
- Fixed an issue where the log level in tCell class instrumentation could differ from the configured agent log level.
- Fixed an issue where the agent would cause Wildfly servers to fail to start.
Improved
- Removed support for Data Loss Prevention.
- Removed support for gathering the current stack frame during file open instrumented by the Local Files feature.
v1.8.2
2020-1-30
Fixed
- Fixed an issue where the agent hooks library JAR did not contain the necessary class files.
- Fixed an issue with CSP injection where headers could appear multiple times on servers that use multiple threads to handle a request.
v1.8.1
2019-12-11
Fixed
- Fixed an issue with Local Files directory categorization where the agent would fail to start on Windows.
- Fixed an issue with Local Files instrumentation where the agent would fail to start on Windows.
- Fixed an issue where the tCell agent native library failed to load on Windows.
Improved
- Improved TRACE level logging in instrumentation code.
v1.8.0
2019-11-20
New
- Java 11 support
Fixed
- Fixed an issue with OS Commands and Local Files where policy rules would be applied incorrectly to Windows paths due to inconsistent character casing.
- Fixed an issue with Local Files where a file opened in Read/Write mode using the JDK class RandomAccessFile would trigger a Read event only, instead of a Read event and a Write event.
v1.7.0
2019-10-02
New
- Diagnostics packages are now uploaded directly to tCell in addition to being saved on the local file system. Full documentation here.
Fixed
- Fixed an issue where certain response error codes would not be reported to tCell on Jetty and Undertow web servers.
v1.6.0
2019-08-26
New
- Local Files access detection (Feature guide coming soon)
- Diagnostics packaging
Fixed
- Fixed an issue where the default JS Agent url used the legacy hostname tcell.io
- Fixed an issue where the agent would request policies and send events before checking if its configuration is valid.
- Fixed an issue where the agent would send events to confirm a policy update, even if there was no change to the policy.
- Fixed an issue where the log file size before rolling did not match our documented maximum file size.
v1.5.4
2019-06-07
Fixed
- Fixed an issue where the tCell instrumented request data stream could behave differently than the original stream.
- Fixed an issue where the queue used to inspect requests could crash due to a bug in the Rust standard library.
v1.5.3
2019-05-02
Fixed
- Fixed an issue where the agent could insert duplicate headers (such as CSP) with applications running on Jetty servers. In some cases these duplicate headers could overflow the response header buffer and cause an internal server error.
- Reduced log level for a noisy message concerning the exclusion of Spring proxy classes from tCell instrumentation.
New
- Added agent version to the output of
java -jar tcellagent.jar test
.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.5.2
2019-02-25
Fixed
- Fixed an issue where the agent could fail to start on Alpine Linux using the Oracle JRE.
- Fixed an issue where agent instrumentation could interfere with Spring proxy classes.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.5.1
2019-1-29
Fixed
- Fixed an issue where rolled log files would be created in the application root directory, instead of
TCELL_AGENT_HOME
. - Fixed an issue where some events could get dropped if the agent was under an especially high load.
- Fixed an issue where multiple App Firewall events could be sent for a single suspicious request parameter.
- Fixed an issue where the agent could leak memory when idle.
- Fixed an issue where sensitive data hashes were incompatible with tCell server hashing.
- Fixed an issue where empty Metrics events were sent.
- Fixed an issue where Command Injection BLOCK rules did not take precedence over otherwise equal REPORT/IGNORE rules.
New
- Added request timing metrics across all routes to Metrics events, to complement the existing per-route metrics.
- Added a new Policy Applied event that is sent whenever the agent changes its policy.
Improved
- Improved logging around errors relating to communication with tCell servers.
- Improved logging around path parsing errors during Redirect event processing.
- Removed the
async_appsensor
agent configuration property as it is now turned on by default. App Firewall events are always sent asynchronously. - Removed Safe Mode agent configuration properties (
hipaaSafeMode
andsafeModeHmacKey
). All data is encrypted on input to tCell Servers. Session information is still hashed agent-side.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.4.1
2018-12-11
Fixed
- Fixed an issue where application logs would show an error relating to a missing policy cache on the first agent run.
- Fixed an issue where calling read() on tCell's wrapped ServletRequest.getInputStream() would never return an end of stream code.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.3.4
2018-12-04
Fixed
- Fixed an issue where calling read() on tCell's wrapped ServletRequest.getInputStream() will never return an end of stream code.
v1.4.0
2018-11-13
New
- XXE policy configuration is now its own top-level configuration option under the App Firewall policy, instead of being nested inside the Command Injection option.
- When installed on an app running inside AWS ECS, the agent will collect the container ID.
- Support for specifying regex-based rules to avoid firing events for specific request fields, e.g. an Accept header. Configured in the App Firewall policy under Special App Fields.
Fixed
- Added logging when the agent successfully updates its policy after failing.
- Fixed an issue where various fields could be missing in the Raw Events table under Events > App Firewall Monitoring.
- Fixed an issue where the agent could stop requesting policy updates if it received a server error response.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.3.3
2018-09-27
New
- Add header information for events sent as a result of blocking rules
Fixed
- Limit the number of superclasses inspected so as in the rare event a classloader causes classes to have an infinite level of superclasses no infinite loop occurs
- fixed situations where cmdi events sometimes do not send request information
- fixed situation where uri field is sometimes not sent with blocking rules' events
v.1.3.2
2018-08-21
Fixed
- Fixed an issue where data received by the application could get corrupted in the following specific circumstance when all the following is true:
- An advanced blocking rules exists and is enabled (for example, a rule that includes parameter inspection; does not affect simple rules, such as IP-only blocking)
- Request is an HTTP POST Form request, with the charset unspecified in Content-Type: HTTP request header
- A Parameter contains Non-ASCII value (for example, double-byte characters)
- This is caused by tCell agent, when parameter inspection is required for blocking, calling getParameterMap() on the servlet request to inspect the parameters. Tomcat defaults to ISO-8859-1 when no charset is specified, whereas most applications assume UTF-8. tCell agent now explicitly instructs agent to use UTF-8 when no charset is specified
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
- Redirect Domain Policies using wildcard (*) rules do not work correctly for subdomains.
v1.3.1
2018-08-07
New
- Enhance the payload processing for events to support payloads up to 2k. Logging payloads in local file remains unconstrained.
Fixed
- Fixed an issue where sometimes the agent was not able to download policy files. This resulted in (benign) error messages in log files.
- Fixed an issue where sometimes Application Firewall Ignore/Filtering rules were not properly enforced when defined using a path.
- Fixed an issue where the payload for SQL Exception events were not populated.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.3.0
2018-07-30
New
- Starting with 1.3.0, JVM Agent uses RustTLS for TLS encryption. It should be noted that the agent only makes outbound connections, and does not act as a server. Root certificate validation of tCell servers is configured by using standard Mozilla root certificates. For more information, see https://docs.rs/rustls/0.13.0/rustls/.
- Add support for Alpine Linux 3.7.
- Add support for JSON data received via PUT or PATCH method.
Fixed
- Fixed a bug where sometimes the agent would not start properly when the directory it is located in contains a space.
Known Issues
- Under high load, the agent's inspection channel will crash leaving the app unprotected. This is due a race condition in an older version of Rust. Recommend upgrade to version 1.5.4 or higher.
v1.2.3
2018-07-20
New
- Support for new flag do_not_instrument in the tcell_agent.config file. This flag will skip instrumenting the specified classes. Classes are specified as a JSON array of strings. This is only to be used with the guidance of tCell support, since it is only used in rare circumstances where a class is inadvertently instrumented.
v1.2.2
2018-06-19
New
- Added support for regex-based path matching to the insertion controls for the browser-based Javascript Agent (jsagent).
Fixed
- Updated path redirect matching to be case insensitive and support wildcard matching in line with other agent behavior.
- Fixed a bug where cookie inspection was not engaging.
- Fixed a bug where the
host_identifier
tcell_agent.config setting would not be used.
v1.2.1
2018-5-31
Fixed
- Under rare circumstances, libinjection can crash depending on the inputs. Libinjection has been fixed such that it will return an error for proper error handling, and avoid a process exit.
- A problem with OS commands was corrected, fixing a problem where command arguments could be falsely reported as commands in some cases.
- Fixed a problem introduced with v1.2.0 with OS Commands and Redirect events, where fields might not be available in the web UI.
Known Issues
host_identifier
setting in tcell_agent.config does not work correctly.
v1.2.0
2018-5-17
New
- Added support for Content-Security Policy (CSP) Scoping. This enables expression of URL path or path patterns which should not receive CSP headers by the tCell agent.
- Added support for App Firewall ignore/filter rules matching parameters by prefixed wildcard. (Previously,
param_*
would work. Now*_param
also works.)
Known Issues
host_identifier
setting in tcell_agent.config does not work correctly.
v1.1.2
2018-4-20
Fixed
- Corrected a memory-growth problem introduced in v1.1.0 that is triggered by AppFirewall event scanning.
Known Issues
host_identifier
setting in tcell_agent.config does not work correctly.
v1.1.1
2018-4-16
Fixed
- Fixed several problems with new path-based rules for JSagent insertion and OS commands
- Rules for os commands with path matching "starts with" did not work in all cases
- Corrected a problem where HTTP path whitelisting for OS commands might be too broad.
- HTTP paths were not matched case insensitively in keeping with other product behavior
Known Issues
- Memory growth in third-party regex library. Please update to v1.1.2. If necessary, this can be temporarily worked around by disabling the App Firewall monitoring.
host_identifier
setting in tcell_agent.config does not work correctly.
v1.1.0
2018-4-12
New
- Now supports control of the browser-based Javascript Agent (JSAgent) insertion by HTTP path rules
- Now supports control of CMDi OS Commands feature with HTTP path-based whitelisting
- Detailed payload information in block events (events reported when the agent blocks requests as requested by block rules & suspicious actors)
Known Issues
- Memory growth in third-party regex library. Please update to v1.1.2. If necessary, this can be temporarily worked around by disabling the App Firewall monitoring.
host_identifier
setting in tcell_agent.config does not work correctly.
v1.0.0
2018-2-12
New
- Added support for sophisticated blocking rules based on combinations of route, path, client IP, parameters, as well as the values for parameters.
- Pattern definitions for sensors are now service-defined, so fixes to patterns can reach agents without update.
- Support for user-custom regexes, only currently used in the above blocking rules.
v0.4.5
2018-1-29
Fixed
- A problem was fixed in the agent's interaction with the servlet interface. Agent proxied http body buffers could in some cases contain trailing null bytes. This has only been seen in the Jetty appserver.
- Handle and report data: urls properly for redirect events. Previously the trimming logic for most urls was mishandling these.
v0.4.4
2017-12-20
New
- The agent will now send a much larger data slice of payloads for detected attacks, permitting better analysis.
- App Firewall exclude rules targeting exceptions or CSRF errors now supported.
- App Firewall exclude rules targetting null paths specifically are now supported.
Fixed
- Several false positives for sqli3 and sqli8 have been fixed.
v0.4.3
2017-12-07
New
- Added support to identify .svn information disclosure access attempts.
Fixed
- Fixed a bug that caused exclude rules where no sensor selected to not engage.
- App Firewall exclude rules targeting null routes will now engage as expected.
- White/blacklisting payloads is now case insensitive.
v0.4.2
2017-11-15
New
- Initial support for Windows.
v0.4.1
2017-11-06
New
- New App Firewall functionality supporting exclude rules to filter out reporting of events based on any of: URL, parameter, IP address, and/or specific type of event or specific detection. This enables you to mark expected patterns of use as acceptable, to better see the unexpected patterns.
- Exclude rules do not yet include dbmaxrows, sql exceptions, or csrf exceptions.
- Repeated password use will be identified (using a password HMAC) to avoid flagging misconfigured API clients from being flagged as an attack. See Account Takeover for more detail.
Fixed
- Detection rule XSS6 was improved to remove false positives.
- Reduced false positives on HTTP Accept headers.
v0.3.2
2017-09-28
Fixed
- Fixed a bug where not all packages would be reported - Affecting only v0.3.1 Java agent
- Path blocking would not always block on all paths configured.
- Applications using JPA 1.0 no longer generate excess exceptions (benign) in the log files upon startup
- Fixed a bug where the agent would unnecessarily perform request inspection when IP blocking is enabled. This was possibly causing application performance issues.
- Fixed a bug where the agent might have caused performance issues when the application uses JPA.
v0.3.1
2017-09-14
Fixed
- If multiple parameters of the same request type (e.g. GET) each match detection patterns, then only the first will result in an AppFW event
- Fixed a GC(garbage collection) bug that that occurred when the agent was sending events to the input service because it used String.format() as part of data sanitization. This resulted in excessive objects being allocated and therefore, GCed. This is not a memory leak, but will result in increased GC load.
v0.3.0
2017-08-28
Fixed
- Fixed a bug that prevented using www subdomain for HTTP Redirect feature
- The agent will no longer send routes where either URL or the HTTP method is missing
New
- Added support for HTTP header inspection for AppFW payloads
- Added support for XXE detection point
- Added support command to allow whitelisting compound commands for the Command Injection (OS Command) feature
- Added support for excluding paths in the AppFW policy