Skip to main content
Version: 25.6.0

Java Agent Release Notes (25.6.0)

Overview

This release adds support for JDK 25 and a makes number of other improvements and bug fixes.

New Features / Improvements

  • PM-597/W4J-1968 Support added for JDK 25
  • ARMR-403. Support added for ARMR/2.12
  • W4J-1987 XXE ARMR rule XML processing limits limit and expansion-limit are no longer 0 by default. The default values in ARMR/2.12 are 1000 and 64000, respectively.
  • PM-600/W4J-1993 Stronger encryption algorithms available for Agent property value encryption
  • W4J-2012 Improved taint propagation for Spring StringUtils methods
  • W4J-2063 Added configurable maximum size for each field in security events. Very large fields will be truncated after 8128 characters by default

Feature Removals

  • W4J-2007 -Dcom.waratek.log.mode is no longer required and has been deprecated. The logging mode is now inferred automatically by the agent when -Dcom.waratek.log.host is configured. (Updates to existing Agent configuration files are not required)

Bug Fixes

  • REM-2445. Inconsistent warning messages logged when user inadvertently omits -Dcom.waratek.log.file property depending on whether log.mode is set to LOCAL or BOTH
  • W4J-2001. Missing taint propagation on some Spring StringUtils methods
  • W4J-2018. Improved log message when XXE event reports reference limits
  • Hubspot 36346862907 / ES-2259 / W4J-2048. Infinite loop in ObjectProxyFactory.newProxy|while may cause CPU spiking in some environments
  • W4J-2051. Encrypted -Dcom.waratek.ElasticsearchUsername, -Dcom.waratek.ElasticsearchPassword and -Dcom.waratek.ControllerKey agent properties are not consumed correctly by Agent versions 25.3.0, 25.4.0, and 25.5.0.
  • W4J-2056. ArrayIndexOutOfBoundsException may be thrown in some edge cases on Java 21 when the application calls repeat() method on tainted String/StringBuilder/StringBuffer.

Known Issues

  • W4J-252 Additional filesystem read events are generated for certain Application and JDK folders the first time an ARMR filesystem rule that contains the api() directive triggers
  • W4J-435 ARMR Socket input specifier not working on some Java6 JDK
  • W4J-989 ARMR Filesystem Pathtraversal is not detected on IBM J9 JDK if Application is utlizing Java NIO classes
  • W4J-1367 Payload extension of security event generated by XSS rule does not contan all of the payload characters in a specific case of a complex payload.
  • W4J-1431 ARMR HTTP CSRF rule is not working correctly on in JSP page on Tomcat 10, 11 and JBossEAP8
  • W4J-1432 ARMR HTTP XSS rule is not working correctly on JBoss EAP 8 and Wildfly 32
  • W4J-1473 SQLi protection does not work for a small number of attacks on at least one version of J9 Java 8
  • W4J-1475 Input attribute can not be used on ARMR Socket Connect rules on IBM J9 JDKs
  • W4J-1477 ARMR Patch for CVE-2016-5552 disables input() specifier on DNS/Socket rules on Windows
  • REM-2434 JBoss AS 7.1 and JBoss EAP 6.x running with IBM J9 are unsupported
  • REM-2906 On some versions of IBM J9 JDK8, jdk-j9-8sr5fp10-linux-x64 being one such version, ARMR XSS is not detected in SpringBoot applications.
  • REM-3126 Warning "OpenJDK 11 IllegalAccessError after JVMTI retransform/redefine" while onboarding to the Portal

Third Party / Open Source Dependencies

  • ANTLR
  • Log4j (version1) Library
  • ASM Library
  • OpenJDK JDK Source
  • JASYPT