The following 4 critical and high vulnerabilities were identified from the scan of the RemoteCacheAssertion-1.5.0.aar assertion:
spring-web-5.2.5.RELEASE.jar
shiro-core-1.6.0.jar
jackson-databind-2.10.1.jar
commons-io-2.6.jar
Release : 10.0
Component : API GATEWAY
1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.
All other libraries are dependent libraries of geode-core
https://mvnrepository.com/artifact/org.apache.geode/geode-core/1.3.0
2. About Spring vulnerability: Layer7 Gateway does not use WAR packaging and spring’s parameter binding feature, with the available details so far this vulnerability does not apply to Gateway i.e. Gateway is Not vulnerable. You can read more about this here: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/Layer7-API-Gateway---Security-Advisory-for-Spring-CVE-2022-22965/20443