This article will discuss two different (but related) "critical security alert" notices that went out to customers on May 20, 2021.

In the notices, it was said to contact Support for patches.  Both alerts are linked below:

1. Alert #1: https://support.broadcom.com/external/content/critical-alert/Layer7-API-Gateway---Critical-Security-Alert/18134
2. Alert #2: https://support.broadcom.com/external/content/critical-alert/LAYER7-API-GATEWAY---CRITICAL-SECURITY-ALERT-2/18135

These alerts impact appliance form factors only. Software or container form factors are not affected.

This affects all appliance form factors running API Gateway 9.4 and 10.x (all CRs).

There was a security vulnerability identified and fixed in appliance form factors.

First Security Alert

"With this vulnerability an unprivileged user can get restricted shell access." per https://support.broadcom.com/external/content/critical-alert/Layer7-API-Gateway---Critical-Security-Alert/18134

This vulnerability applies to appliance form factors only. 

Resolving First Security Alert

On Gateway 9.4, this is all automatically fixed and included first in the May-dated monthly platform patch listed on the Solutions & Patches page, any newer patches such as the latest one (as they are cumulative) will include the fix and is recommended. The latest patch which fixes this is titled Layer7_API_PlatformUpdate_64bit_v9.X-Patch-2021-05-20.L7P. 

On Gateway 10, this is all automatically fixed and included first in the March-dated monthly platform patch listed on the Solutions & Patches page, any newer patches such as the latest one (as they are cumulative) will include the fix and is recommended to be used instead of the March patch to stay current. The latest patch is titled Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2021-04-22.L7P. These patches are monthly and cumulative so anything newer includes changes.

Note: 9.3 and before the file /etc/ssh/ssh_force_command.sh does not exist so no changes are required.

Second Security Alert

"With this vulnerability an unprivileged user can view or edit restricted sensitive information." per https://support.broadcom.com/external/content/critical-alert/LAYER7-API-GATEWAY---CRITICAL-SECURITY-ALERT-2/18135

This vulnerability applies to appliance form factors only. 

The API Gateway allows remote authenticated users to discover the LDAP bind password by leveraging SSG Menu to export and read the systems LDAP bind password value. In more basic terms if you have LDAP setup as an SSH mechanism to the API Gateway server, then upon export the ssgconfig user logged in can gain access to the LDAP details including password for the host.

If this is of concern please let support know via a support case and we will supply a fix for this. If no LDAP user is logging into SSH has been setup on the host no actions are required.

Resolving Second Security Alert

1. If the appliance form factor is used and LDAP with BIND password is used for SSH access, then open a support case requesting the patch file.
2. If the appliance form factor is used and LDAP with BIND password is not used for SSH access, then there is nothing further required at this point as there is no active risk. Our recommendation in this scenario is to ensure the latest CR is installed.