This article will discuss CVE-2021-3156, also known as a "Heap-Based Buffer Overflow in Sudo".
This article applies to all supported API Gateway versions running in our Appliance form factor. For users with software form factors, updating the OS is the responsibility of the server administrator.
To answer a couple of questions first:
According to the CentOS announcement, it appears the necessary RPMs were updated at the end of January (past our January patch cut-off date), thus should be included in our February 2021 patches.
Please note: If the API Gateway is running in the software form factor, please note keeping the operating system packages up-to-date are the responsibility of the server administrator and not Broadcom. If the API Gateway is running in our Appliance form factor, then see the Additional Information section below for more information.