|Summary: CAST AIP 8.3.25 introduces a number of features and changes as listed below.|
Support has been implemented for IMS MFS Maps to improve IMS/DC support so that it is possible to find out which Cobol programs use an MFS Map:
As a result, some changes have been implemented:
|IMS Message Format Service|
|IMS Message Input Descriptor|
|IMS Message Output Descriptor|
The Mainframe Analyzer is now able to detect the following specific types of JCL Dataset, which will now be visible in CAST Enlighten, Architecture Checker and CAST Transaction Configuration. See Mainframe - Technical notes for more details.
In addition, a new protoype link has been implemented between DBD objects and JCL Datasets (DBD).
The documentation for the following rules has been updated
Program semantic should respect the logic of flow execution
|Rationale has been updated.|
The SQL Analyzer embedded in AIP now supports:
The following new rules have been implemented:
|Rule ID||CWE ID||Rule name||Input name||Target name||.NET support||JEE support|
|8482||79||Cross-site scripting through API requests||Network.readAPI||Network.write||NO||LIMITED|
|8484||113||HTTP response splitting through API requests||Network.readAPI||Network.http||NO||LIMITED|
|8486||99||Resource injection through API requests||Network.readAPI||Resource.write||NO||LIMITED|
|8488||99||Resource URL manipulation through API requests||Network.readAPI||Resource.writeURL||NO||LIMITED|
|8490||89||SQL injection through API requests||Network.readAPI||Database.write||NO||LIMITED|
|8492||90||LDAP injection through API requests||Network.readAPI||LDAP.filter||NO||LIMITED|
|8494||78||OS command injection through API requests||Network.readAPI||Runtime.exec||NO||LIMITED|
|8496||114||Process control through API requests||Network.readAPI||Runtime.load||NO||LIMITED|
|8498||78||Denial of service threat through API requests||Network.readAPI||Thread.sleep||NO||LIMITED|
|8500||94/95||Code injection through API requests||Network.readAPI||Script.eval||NO||LIMITED|
|8502||470||Reflection injection through API requests||Network.readAPI||Reflection.write||NO||LIMITED|
|8504||91||XPath injection through API requests||Network.readAPI||XPath.write||NO||LIMITED|
|8506||73||Path manipulation through API requests||Network.readAPI||File.open||NO||LIMITED|
|8508||117||Log forging through API requests||Network.readAPI||Log.write||NO||LIMITED|
|8510||134||Uncontrolled format string through API requests||Network.readAPI||String.format||NO||LIMITED|
|8512||501||Request parameters in session through API requests||Network.readAPI||Network.writeSession||NO||LIMITED|
|8514||89||NoSQL injection through API requests||Network.readAPI||Nosql.write||NO||LIMITED|
|8516||601||Open redirect through API requests||Network.readAPI||Network.redirect||NO||LIMITED|
All of the above new rules are based on "injection through API requests” - the list of supported APIs is as follows:
The following truncated manglings are now supported:
This is an improvement to "AIPCORE-1705 - User Input Security is now able to detect security violations in Apache Struts 2 applications" added in CAST AIP 8.3.21.
The CAST Database Extractor now supports:
The CSS Upgrade Wizard (CSSUpgrade.exe) used to move schemas from one CAST Storage Service/PostgreSQL instance to another is now deprecated.
A new batch file called CombinedTransfer.bat has been created as a replacement for the CSS Upgrade Wizard. It is a wrapper batch file for the CSS Backup and Restore Tools, provided as part of the CAST AIP ≥ 8.3.x, and involves a fully automated process of dumping the required schemas to file and then restoring the dumps on the new server. The CAST Storage Services/PostgreSQL do not need to be installed on the same host, and both can be remote to the machine on which you are executing the batch file.
The CombinedTransfer.bat batch file is located in the following folder and must be executed from within the context of this folder:
<CAST AIP installation>\CSSAdmin\CSSUpgrade\
See CAST Storage Service - Moving existing schemas to new hosts for more information.
CAST AIC Portal is now deprecated and official support for this web application will cease at the end of 2020. CAST encourages users to switch to AIP Console where possible.
If you need to onboard new Applications and are not yet using AIP Console or are having issues using CAST AIC Portal, then it is now possible to create new Applications directly in CAST Management Studio for all user audiences ("regular" through to "expert"). This is a "stop gap" solution until such time as you are ready to switch to AIP Console.