Skip to main content
Version: 25.6.0

Java Agent Release Notes (25.6.0)

Overview

This release adds support for JDK 25 and a makes number of other improvements and bug fixes.

New Features / Improvements

  • PM-597/W4J-1968 Support added for JDK 25
  • ARMR-403. Support added for ARMR/2.12
  • W4J-1987 XXE ARMR rule XML processing limits limit and expansion-limit are no longer 0 by default. The default values in ARMR/2.12 are 1000 and 64000, respectively.
  • PM-600/W4J-1993 Stronger encryption algorithms available for Agent property value encryption
  • W4J-2012 Improved taint propagation for Spring StringUtils methods
  • W4J-2063 Added configurable maximum size for each field in security events. Very large fields will be truncated after 8128 characters by default

Feature Removals

  • W4J-2007 -Dcom.waratek.log.mode is no longer required and has been deprecated. The logging mode is now inferred automatically by the agent when -Dcom.waratek.log.host is configured. (Updates to existing Agent configuration files are not required)

Bug Fixes

  • REM-2445. Inconsistent warning messages logged when user inadvertently omits -Dcom.waratek.log.file property depending on whether log.mode is set to LOCAL or BOTH
  • W4J-2001. Missing taint propagation on some Spring StringUtils methods
  • W4J-2018. Improved log message when XXE event reports reference limits
  • Hubspot 36346862907 / ES-2259 / W4J-2048. Infinite loop in ObjectProxyFactory.newProxy|while may cause CPU spiking in some environments
  • W4J-2051. Encrypted -Dcom.waratek.ElasticsearchUsername, -Dcom.waratek.ElasticsearchPassword and -Dcom.waratek.ControllerKey agent properties are not consumed correctly by Agent versions 25.3.0, 25.4.0, and 25.5.0.
  • W4J-2056. ArrayIndexOutOfBoundsException may be thrown in some edge cases on Java 21 when the application calls repeat() method on tainted String/StringBuilder/StringBuffer.

Known Issues

  • W4J-64 In some cases the agent may not detect when a ARMR filesystem rule is duplicated
  • W4J-66 In some cases the agent may not detect when an ARMR filesystem rule is unreachable
  • W4J-252 Additional filesystem read events are generated for certain Application and JDK folders the first time an ARMR filesystem rule that contains the api() directive triggers
  • W4J-331 Under certain workloads running the Dacapo “h2” benchmark, an extra performance overhead may be incurred with rules in place
  • W4J-370 Under certain workloads running the SPECjvm2008 “derby" and "serial" benchmarks, an extra performance overhead may be incurred with rules in place
  • W4J-371 Under certain workloads running the SPECjvm2008 "crypto.signverify" and "xml.transform" benchmarks, an extra performance overhead may be incurred
  • W4J-435 ARMR Socket input specifier not working on some Java6 JDK
  • W4J-989 ARMR Filesystem Pathtraversal is not detected on IBM J9 JDK if Application is utlizing Java NIO classes
  • W4J-1023 Apache Struts 2.5 test suite is failing due to usage of incomplete Servlet API library
  • W4J-1367 Payload extension of security event generated by XSS rule does not contan all of the payload characters in a specific case of a complex payload.
  • W4J-1431 ARMR HTTP CSRF rule is not working correctly on in JSP page on Tomcat 10, 11 and JBossEAP8
  • W4J-1432 ARMR HTTP XSS rule is not working correctly on JBoss EAP 8 and Wildfly 32
  • W4J-1454 RMI Client/Server connection fails with java.rmi.NoSuchObjectException on JRockit Java6 Windows
  • W4J-1473 SQLi protection does not work for a small number of attacks on at least one version of J9 Java 8
  • W4J-1475 Input attribute can not be used on ARMR Socket Connect rules on IBM J9 JDKs
  • W4J-1477 ARMR VCPU rule pack breaks DNS rules using input() specifier on Windows
  • REM-1855 IOException is unexpectedly thrown when the Deserial rule is absent in certain cases
  • REM-2422 When running JRockit 6 with Dynatrace, neither JBoss AS 7.1 nor JBoss EAP 6.x are supported
  • REM-2434 JBoss AS 7.1 and JBoss EAP 6.x running with IBM J9 are unsupported
  • REM-2906 On some versions of IBM J9 JDK8, jdk-j9-8sr5fp10-linux-x64 being one such version, ARMR XSS is not detected in SpringBoot applications.
  • REM-3045 Protected XSS attack on JamWiki webapp causes JBoss v4.2 shutdown to hang
  • REM-3126 Warning "OpenJDK 11 IllegalAccessError after JVMTI retransform/redefine" while onboarding to the Portal
  • REM-3230 Under certain workloads running JRockit 6, an extra performance overhead may be incurred

Third Party / Open Source Dependencies

  • ANTLR
  • Log4j (version1) Library
  • ASM Library
  • OpenJDK JDK Source
  • JASYPT