What's new in HCL AppScan® Enterprise

Important Notice

For HCL AppScan Enterprise version 10.0.2 and newer, an HCL license is required. HCL AppScan Enterprise versions 10.0.2 and newer do not support IBM licenses. See the product documentation for instructions on installing an HCL License. For more information contact your HCL representative or HCL Support.

New in HCL AppScan® Enterprise 10.0.6

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
  • Common Access Card (CAC) authentication using client certificates with Subject Alternative Name (SAN) attribute is now supported
  • Regulatory Compliance Reports now include a Summary section
  • Security Assertion Markup Language (SAML) Single Sign-On with Microsoft Active Directory Federation Services (ADFS) is now supported
  • Jobs search API is now accessible by all users, not only administrators
  • Security updates:
    • Detection of Request smuggling vulnerabilities
    • SSTI (Server-side Template Injection)
    • SSRF (Server-side Request Forgery)
    • JWT: Weak signature in JSON web tokens
    • OAuth: Cross-site Request Forgery
    • OAuth: Implicit grant type
    • CVE-2017-1000486: PrimeFaces RCE
    • CVE-2020-25213: WordPress RCE
    • CVE-2021-2109: Oracle WebLogic RCE

Added in fix

  • Fixed the Log4j vulnerability in AppScan - CVE-2021-44228 & CVE-2021-45046
  • Added a security update to test for Log4j vulnerability CVE-2021-44228

Fixes and security updates

  • Fixes and security updates are listed here.
    Note: After the original release on 15th November 2021, the Log4j vulnerability was announced. A fixed version of AppScan Enterprise 10.0.6 was therefore released on 17th December 2021. The fixed version, AppScan Enterprise - which is now the only version of 10.0.6 available for download in FNO - resolves the Log4j vulnerability in AppScan Enterprise, and also tests for it.

Upcoming changes

The following will be removed in a future release:

  • Test policies: Web Services, The Vital Few, Developer Essentials; as similar results can now be achieved using other policies. For information, see Predefined Test Policies.