Question on vulnerabilities (API Gateway Software)

Article Id: 128853
Status: Published
Updated On: 30-09-2019 08:03
Products:
STARTER PACK-7 , CA Rapid App Security , CA API Gateway , CA API Gateway , CA API Gateway
Issue/Introduction:



Does the vulnerability listed below have any impact on API Gateway 9.3 CR3 (Software) ?

(1) CVE-2018-12020
(2) CVE-2018-5146
(3) CVE-2017-8779
(4) CVE-2017-5461
(5) CVE-2016-9808
(6) CVE-2016-9447
(7) CVE-2016-7545
(8) CVE-2016-4448
 

Environment:

API Gateway 9.3 CR3 (Software)
OS: RHEL 6

Resolution:

(1) CVE-2018-12020
Software gateway doesn't have any dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software gateway will not provide fix for this. Customer will have to verify if they have updated their RHEL 6 server with this patch.
https://access.redhat.com/errata/RHSA-2018:2180

(2) CVE-2018-5146
Gateway doesn't use this library and is not affected by it.

(3) CVE-2017-8779
Gateway doesn't use this library and is not affected by it.

(4) CVE-2017-5461
Software gateway doesn't have any dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software Gateway will not have fix for this. Customer will have to verify nss, nss-tools and nss-util package version on their RHEL 6 Server.

(5) CVE-2016-9808
Gateway doesn't use this library and is not affected by it.

(6) CVE-2016-9447
Gateway doesn't use this library and is not affected by it.

(7) CVE-2016-7545
Software gateway doesn't have any direct dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software gateway will not be having the fix for this. Customer will have to verify they have applied this RHEL 6 patch.
https://access.redhat.com/errata/RHSA-2016:2702

(8) CVE-2016-4448
The software gateway doesn't directly use this library and it's not part of the Gateway product.

Customer will have to verify if they have updated their RHEL 6 server with this patch.
https://access.redhat.com/errata/RHSA-2016:1292.
They should have libxml2-2.7.6-21.el6_8.1.i686.rpm installed according to this patch.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020

Additional Information:

(1) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
(2) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-8779
(4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
(5) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9808
(6) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9447
(7) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7545
(8) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448