There are 4 Critical and High vulnerabilities identified from the scan of the RemoteCacheAssertion-1.5.0.aar artifact that need to be addressed:
spring-web-5.2.5.RELEASE.jar
shiro-core-1.6.0.jar
jackson-databind-2.10.1.jar
commons-io-2.6.jar
Please address these 4 vulnerabilities and respond to the ticket if we are vulnerable or not.
Release : 10.0
Component : API GATEWAY
Ref: DE478268
1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.
All other libraries are dependent libraries of geode-core
https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.3.0
geode-core-1.13.0
shiro-core-1.6.0
commons-beanutils-1.9.4
commons-io-2.8
jackson-databind-2.11.3
jgroups-5.0.4.Final
Im checking with engineering if this library is included or does not when using backend redis cache.
2. regarding spring-web-5.2.5.RELEASE.jar , vulnerabilities has being fixed on CR1 , however there is CR02 which resolve several vulnerabilties and CR03 the last one.
Also we have Montly Path update
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/release-notes/resolved-issues.html
https://support.broadcom.com/external/content/release-announcements/CA-API-Gateway-Solutions--Patches/3024
Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2021-04-22.L7P
which need to be applied also and check again if the vulnerability is resolved.
3. If you have additional questions please open a case with https://support.broadcom.com/