CA API GW 9.4 Netty Library - Vulnerability

Article Id: 194879
Status: Published
Updated On: 10-07-2020 13:59
Products:
CA Mobile API Gateway , CA Rapid App Security
Issue/Introduction:

Customer is using Twistlock (commercial vulnerability scan tool for docker images)

Current issue:   Netty libraries in the CA API Docker images.   (see below table)

bash-4.2# find . -name "*netty*"

./SecureSpan/Gateway/runtime/lib/netty-all-4.1.1.Final.jar

Tested against both images:

caapim/gateway:latest

caapim/gateway:9.4.00_20200212

There is an updated netty-all library jar files that may replace this file:

 

Registry

Repository

Tag

CVE ID

Type

Severity

Packages

Package Version

Fix Status

Possible Update

        
                           
                   
 

caapim/gateway

9.4.00_20200212

CVE-2019-16869

java

high

io.netty_netty-all

4.1.1.Final

fixed in 4.1.42.Final

https://mvnrepository.com/artifact/io.netty/netty-all
 

caapim/gateway

9.4.00_20200212

CVE-2019-20444

java

critical

io.netty_netty-all

4.1.1.Final

fixed in 4.1.44

          
 

caapim/gateway

9.4.00_20200212

CVE-2019-20445

java

critical

io.netty_netty-all

4.1.1.Final

fixed in 4.1.44

          
                 
                           
                           
                           




Environment:

Release : 7.1

Component : MOBILE API

Resolution:

This will be included in Gateway 10 CR2 the official - Sept 2020