A vulnerability scan may detect very old CVEs in the API Gateway, specifically CVE-2013-0809 and CVE-2013-1493. The directory called out may be /opt/CA/sdk/install_config_jre/.
An old SDK resides on the OVA images published for the API Gateway.
This article applies to all API Gateways where those two CVEs (or at least one) pointing to that directory were reported by a vulnerability scanning tool.
This very old SDK was used in much earlier versions of the API Gateway for setting up integration with CA Single Sign-On (SSO). As this particular SDK is no longer used by the API Gateway, it can safely be removed which will resolve the reported CVEs. To be safe, do a backup of the directory or the VM (through a VM snapshot), remove that specific directory (/opt/CA/sdk/install_config_jre/), then reboot and scan again for vulnerabilities. Those two particular CVEs should no longer be listed.
The directory in question may be removed in future OVA images for the API Gateway.