search cancel

Remotecache assertion vulnerabilities

book

Article ID: 215127

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

There are 4 Critical and High vulnerabilities identified from the scan of the RemoteCacheAssertion-1.5.0.aar artifact that need to be addressed:

spring-web-5.2.5.RELEASE.jar

  • vulnerability: a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
  • vulnerable class: HttpInvokerServiceExporter.class

shiro-core-1.6.0.jar

  • vulnerability:when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass
  • vulnerable class:AntPathMatcher.class

jackson-databind-2.10.1.jar

  • vulnerability: Jackson Databind does not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks.
  • vulnerable class:DOMDeserializer.class

commons-io-2.6.jar

  • vulnerability: FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow the access to unintended resources.
  • vulnerable class:FilenameUtils.class

Please address these 4 vulnerabilities and respond to the ticket if we are vulnerable or not. 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

Ref:  DE478268 

1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.


All other libraries are dependent libraries of geode-core
https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.3.0

geode-core-1.13.0

shiro-core-1.6.0

commons-beanutils-1.9.4

commons-io-2.8

jackson-databind-2.11.3

jgroups-5.0.4.Final

Im checking with engineering if this library is included or does not when using backend redis cache.

2. regarding spring-web-5.2.5.RELEASE.jar , vulnerabilities has being fixed on CR1 , however there is CR02 which resolve several vulnerabilties and CR03 the last one.

Also we have Montly Path update

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/release-notes/resolved-issues.html

https://support.broadcom.com/external/content/release-announcements/CA-API-Gateway-Solutions--Patches/3024

Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2021-04-22.L7P

which need to be applied also and check again if the vulnerability is resolved.

3. If you have additional questions please open a case with https://support.broadcom.com/