Java SE Embedded Vulnerability on Gateway

book

Article ID: 193392

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

When scanning the CA API Gateway OVA Appliance with Rapid 7 Security scanner you may get results such as:

Java CPU MONTH YEAR Java SE, Java SE Embedded vulnerability (CVE-YEAR-###)

This indicates that the Rapid 7 scanner (or potentially other security scanners has found a security vulnerability with the version of Java SE installed)

 

Cause

The cause of this is due to the version of Java that is embedded with the Gateway Appliance OVA environment which may be older than the latest version which addresses vulnerabilities seen with Security Scanners such as Rapid 7.

Environment

Release : 9.x and 10.x

Component : API GATEWAY

Resolution

Java (OpenJDK) that comes with the Gateway Appliance is updated in two ways:

  1. Through Cumulative Release Patches (CRs) which can be downloaded from the Solutions and Patches Page 
  2. Through product release upgrades (for example upgrading from 9.4 to 10)

Please be aware that manually upgrading Java outside of the Cumulative Release Patches or Product Version Upgrades is not supported as the Gateway Appliance is tested with specific versions of Java for quality assurance purposes. 

Additional Information

OpenJDK Version History

https://adoptopenjdk.net/release_notes.html