CA API GW 9.4 Netty Library - Vulnerability

book

Article ID: 194879

calendar_today

Updated On:

Products

CA Mobile API Gateway CA Rapid App Security

Issue/Introduction

Customer is using Twistlock (commercial vulnerability scan tool for docker images)

Current issue:   Netty libraries in the CA API Docker images.   (see below table)

bash-4.2# find . -name "*netty*"

./SecureSpan/Gateway/runtime/lib/netty-all-4.1.1.Final.jar

Tested against both images:

caapim/gateway:latest

caapim/gateway:9.4.00_20200212

There is an updated netty-all library jar files that may replace this file:

 

Registry

Repository

Tag

CVE ID

Type

Severity

Packages

Package Version

Fix Status

Possible Update

       
                           
                   
 

caapim/gateway

9.4.00_20200212

CVE-2019-16869

java

high

io.netty_netty-all

4.1.1.Final

fixed in 4.1.42.Final

https://mvnrepository.com/artifact/io.netty/netty-all

 

caapim/gateway

9.4.00_20200212

CVE-2019-20444

java

critical

io.netty_netty-all

4.1.1.Final

fixed in 4.1.44

         
 

caapim/gateway

9.4.00_20200212

CVE-2019-20445

java

critical

io.netty_netty-all

4.1.1.Final

fixed in 4.1.44

         
                 
                           
                           
                           




Environment

Release : 7.1

Component : MOBILE API

Resolution

This will be included in Gateway 10 CR2 the official - Sept 2020

 

Attachments