API Gateway: CVE-2013-0809 & CVE-2013-1493 reported in a vulnerability scan

book

Article ID: 144721

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) STARTER PACK-7

Issue/Introduction

A vulnerability scan may detect very old CVEs in the API Gateway, specifically CVE-2013-0809 and CVE-2013-1493. The directory called out may be /opt/CA/sdk/install_config_jre/.

Cause

An old SDK resides on the OVA images published for the API Gateway.

Environment

This article applies to all API Gateways where those two CVEs (or at least one) pointing to that directory were reported by a vulnerability scanning tool.

Resolution

This very old SDK was used in much earlier versions of the API Gateway for setting up integration with CA Single Sign-On (SSO). As this particular SDK is no longer used by the API Gateway, it can safely be removed which will resolve the reported CVEs. To be safe, do a backup of the directory or the VM (through a VM snapshot), remove that specific directory (/opt/CA/sdk/install_config_jre/), then reboot and scan again for vulnerabilities. Those two particular CVEs should no longer be listed.

Additional Information

The directory in question may be removed in future OVA images for the API Gateway.