Question on vulnerabilities (API Gateway Software)

book

Article ID: 128853

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction



Does the vulnerability listed below have any impact on API Gateway 9.3 CR3 (Software) ?

(1) CVE-2018-12020
(2) CVE-2018-5146
(3) CVE-2017-8779
(4) CVE-2017-5461
(5) CVE-2016-9808
(6) CVE-2016-9447
(7) CVE-2016-7545
(8) CVE-2016-4448
 

Environment

API Gateway 9.3 CR3 (Software)
OS: RHEL 6

Resolution

(1) CVE-2018-12020
Software gateway doesn't have any dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software gateway will not provide fix for this. Customer will have to verify if they have updated their RHEL 6 server with this patch.
https://access.redhat.com/errata/RHSA-2018:2180

(2) CVE-2018-5146
Gateway doesn't use this library and is not affected by it.

(3) CVE-2017-8779
Gateway doesn't use this library and is not affected by it.

(4) CVE-2017-5461
Software gateway doesn't have any dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software Gateway will not have fix for this. Customer will have to verify nss, nss-tools and nss-util package version on their RHEL 6 Server.

(5) CVE-2016-9808
Gateway doesn't use this library and is not affected by it.

(6) CVE-2016-9447
Gateway doesn't use this library and is not affected by it.

(7) CVE-2016-7545
Software gateway doesn't have any direct dependency on this library installed on the RHEL server. So no impact on Gateway Software.
Software gateway will not be having the fix for this. Customer will have to verify they have applied this RHEL 6 patch.
https://access.redhat.com/errata/RHSA-2016:2702

(8) CVE-2016-4448
The software gateway doesn't directly use this library and it's not part of the Gateway product.

Customer will have to verify if they have updated their RHEL 6 server with this patch.
https://access.redhat.com/errata/RHSA-2016:1292.
They should have libxml2-2.7.6-21.el6_8.1.i686.rpm installed according to this patch.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020

Additional Information

(1) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
(2) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-8779
(4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
(5) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9808
(6) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9447
(7) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7545
(8) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448