Layer 7 API Gateway: Vulnerabilities in Gateway 10 Azure VM kernel

book

Article ID: 198315

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

A security scan has revealed the below vulnerabilities in the Gateway 10 Azure image using the August monthly platform patch.

CVE-2020-12888, CVE-2020-0543
CVE-2015-9289, CVE-2017-17807, CVE-2018-7191, CVE-2018-20169, CVE-2019-3901, CVE-2019-9503, CVE-2019-10207, CVE-2019-11884, CVE-2019-12382, CVE-2019-13233, CVE-2019-13648, CVE-2019-14283, CVE-2019-15916, CVE-2019-16746, CVE-2019-18660, CVE-2018-19985, CVE-2019-10638, CVE-2019-10639, CVE-2019-11190, CVE-2019-15221
CVE-2019-11487, CVE-2019-17666, CVE-2019-11135, CVE-2019-19338

 

Cause

The kernel vulnerabilities are addressed in the August monthly platform patch. However, after the patch is installed, the Gateway is supposed to pick up kernel-3.10.0-1127.18.2.el7.x86_64.rpm but is still stuck with kernel-3.10.0-1062.12.1.el7.x86_64.

Environment

Release : 10.0

Component : API GATEWAY

Resolution

To make sure the Gateway is able to pick up the latest kernel a temporary fix has been created, see the attached update_grub_config.sh.

Once the script is executed, all the missing kernel entries will be added to /boot/grub2/grub.cfg file from /etc/grub2.cfg - this is the actual file that gets updated whenever we install new kernel rpm's. A soft link has also been added to /etc/grub2.cfg so that it will take care of future kernel updates.

This will be addressed in the September 2020 platform patch.

Steps to execute the script:

1. copy the script to Azure VM

2. add the execution permissions: chmod 755 <script path>/update_grub_config.sh

3. execute the shell script