ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
About API-GW vulnerability
Article ID: 110134
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
Does API Gateway take the influence of the security vulnerability?
If so, is the fix included in the product?
・CVE-2018-1336
・CVE-2018-2952
Environment
API Gateway 8.3
Resolution
・CVE-2018-1336 :
* Gateway 8.3 product is not affected as it uses tomcat 6.
・CVE-2018-2952 :
* The affected Java concurrency subcomponent is a core component so Gateway 8.3 is probably affected to some extend but I can't say to what extent
* It is a low severity CVE, with difficult to exploit rating.
* Regardless whether the Gateway product is affected or not, the library fix (updated JDK version) will be delivered by the next CR (cumulative release) patch for Gateway 8.3 version but there is no known schedule for this yet
* Customer is recommended to migrate to Gateway 9.x to receive more frequent CR update that includes JDK updates.
* Gateway 8.3 product is not affected as it uses tomcat 6.
・CVE-2018-2952 :
* The affected Java concurrency subcomponent is a core component so Gateway 8.3 is probably affected to some extend but I can't say to what extent
* It is a low severity CVE, with difficult to exploit rating.
* Regardless whether the Gateway product is affected or not, the library fix (updated JDK version) will be delivered by the next CR (cumulative release) patch for Gateway 8.3 version but there is no known schedule for this yet
* Customer is recommended to migrate to Gateway 9.x to receive more frequent CR update that includes JDK updates.
Feedback
Yes
No
Powered by
