When scanning the CA API Gateway OVA Appliance with Rapid 7 Security scanner you may get results such as:

Java CPU MONTH YEAR Java SE, Java SE Embedded vulnerability (CVE-YEAR-###)

This indicates that the Rapid 7 scanner (or potentially other security scanners has found a security vulnerability with the version of Java SE installed)

Release : 9.x and 10.x

Component : API GATEWAY

The cause of this is due to the version of Java that is embedded with the Gateway Appliance OVA environment which may be older than the latest version which addresses vulnerabilities seen with Security Scanners such as Rapid 7.

Java (OpenJDK) that comes with the Gateway Appliance is updated in two ways:

1. Through Cumulative Release Patches (CRs) which can be downloaded from the Solutions and Patches Page 
2. Through product release upgrades (for example upgrading from 9.4 to 10)

Please be aware that manually upgrading Java outside of the Cumulative Release Patches or Product Version Upgrades is not supported as the Gateway Appliance is tested with specific versions of Java for quality assurance purposes. 

OpenJDK Version History

https://adoptopenjdk.net/release_notes.html