API Gateway: CVE-2013-0809 & CVE-2013-1493 reported in a vulnerability scan
Article ID: 144721
CA API GatewayAPI SECURITYCA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)STARTER PACK-7
A vulnerability scan may detect very old CVEs in the API Gateway, specifically CVE-2013-0809 and CVE-2013-1493. The directory called out may be /opt/CA/sdk/install_config_jre/.
This article applies to all API Gateways where those two CVEs (or at least one) pointing to that directory were reported by a vulnerability scanning tool.
An old SDK resides on the OVA images published for the API Gateway.
This very old SDK was used in much earlier versions of the API Gateway for setting up integration with CA Single Sign-On (SSO). As this particular SDK is no longer used by the API Gateway, it can safely be removed which will resolve the reported CVEs. To be safe, do a backup of the directory or the VM (through a VM snapshot), remove that specific directory (/opt/CA/sdk/install_config_jre/), then reboot and scan again for vulnerabilities. Those two particular CVEs should no longer be listed.
The directory in question may be removed in future OVA images for the API Gateway.