This article will discuss CVE-2021-3156, also known as a "Heap-Based Buffer Overflow in Sudo".

Questions:

1. Is the API Gateway vulnerable to CVE-2021-3156?
2. Where is the patch file to protect from this vulnerability?

This article applies to all supported API Gateway versions running in our Appliance form factor. For users with software form factors, updating the OS is the responsibility of the server administrator.

To answer a couple of questions first:

1. Yes, this issue appears to impact RHEL and CentOS-based appliances. 
2. The patch isn't available yet, but when it is at the end of the month it will be on the Solutions & Patches page for CentOS-based Appliances

According to the CentOS announcement, it appears the necessary RPMs were updated at the end of January (past our January patch cut-off date), thus should be included in our February 2021 patches. 

Please note: If the API Gateway is running in the software form factor, please note keeping the operating system packages up-to-date are the responsibility of the server administrator and not Broadcom. If the API Gateway is running in our Appliance form factor, then see the Additional Information section below for more information.

• More information on the vulnerability can be seen in the upstream project to CentOS
• Important patch distribution information:
  • Please note that Broadcom no longer offer patches for appliance on Red Hat Enterprise Linux unless an extended support contract is in-place for the appropriate Site ID.
    • If one is already in place, then please open a support case to receive the February monthly platform patch at the end of of February 2021 (monthly patches come out in the last few days of the month).
    • If an extended support contract is not in-place for the Site ID, please contact Broadcom Sales for more information on how to obtain extended support if needed. 
  • Patches for CentOS-based appliances will be posted on the Solutions & Patches page when available.