The following 4 critical and high vulnerabilities were identified from the scan of the RemoteCacheAssertion-1.5.0.aar assertion:

spring-web-5.2.5.RELEASE.jar

• Vulnerability: a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
• Vulnerable class: HttpInvokerServiceExporter.class

shiro-core-1.6.0.jar

• Vulnerability: when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass
• Vulnerable class: AntPathMatcher.class

jackson-databind-2.10.1.jar

• Vulnerability: Jackson Databind does not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks.
• Vulnerable class: DOMDeserializer.class

commons-io-2.6.jar

• Vulnerability: FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow access to unintended resources.
• Vulnerable class: FilenameUtils.class

Release : 10.0

Component : API GATEWAY

1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.

All other libraries are dependent libraries of geode-core
https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.3.0

• geode-core-1.13.0
• shiro-core-1.6.0
• commons-beanutils-1.9.4
• commons-io-2.8
• jackson-databind-2.11.3
• jgroups-5.0.4.Final

2. About Spring vulnerability: Layer7 Gateway does not use WAR packaging and spring’s parameter binding feature, with the available details so far this vulnerability does not apply to Gateway i.e. Gateway is Not vulnerable. You can read more about this here: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/Layer7-API-Gateway---Security-Advisory-for-Spring-CVE-2022-22965/20443