Remotecache assertion vulnerabilities
search cancel

Remotecache assertion vulnerabilities


Article ID: 215127


Updated On:


CA API Gateway


The following 4 critical and high vulnerabilities were identified from the scan of the RemoteCacheAssertion-1.5.0.aar assertion:


  • Vulnerability: a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
  • Vulnerable class: HttpInvokerServiceExporter.class


  • Vulnerability: when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass
  • Vulnerable class: AntPathMatcher.class


  • Vulnerability: Jackson Databind does not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks.
  • Vulnerable class: DOMDeserializer.class


  • Vulnerability: FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow access to unintended resources.
  • Vulnerable class: FilenameUtils.class



Release : 10.0

Component : API GATEWAY


1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.

All other libraries are dependent libraries of geode-core

  • geode-core-1.13.0
  • shiro-core-1.6.0
  • commons-beanutils-1.9.4
  • commons-io-2.8
  • jackson-databind-2.11.3
  • jgroups-5.0.4.Final


2. About Spring vulnerability: Layer7 Gateway does not use WAR packaging and spring’s parameter binding feature, with the available details so far this vulnerability does not apply to Gateway i.e. Gateway is Not vulnerable. You can read more about this here: