CVEs for CONGW10.0 CR03
search cancel

CVEs for CONGW10.0 CR03

book

Article ID: 234240

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our security team have observed certain CVEs of which one of the critical CVE is "CVE-2020-1938" (When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat). We have few other CVEs as well which are high. Can you let us if these are fixed any other tagged image if so which tag. Below is the list of CVEs our security team has observed. 

CVE-2019-3842
CVE-2016-2226
CVE-2017-9749
CVE-2014-4650
CVE-2017-9756
CVE-2017-9746
CVE-2018-6323
CVE-2015-2080
CVE-2017-9747
CVE-2017-9748
CVE-2017-9742
CVE-2020-1938
CVE-2017-9750
CVE-2018-1123
CVE-2017-18078

 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

Scanned gateway containers using Trivy tool

https://github.com/aquasecurity/trivy

 

For Gateway 10.1 - tomcat is above the listed version in the report 

Report:   “In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99”  

Gateway 10.1 CR1 is above the CVE 

[root@<hostname> gw10]#  docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

caapim/gateway      10.1.00_20220125    15346dc6f249        12 days ago         751MB

 

Access the container to check tomcat

 

# docker exec -it 27c2ab0b9d99 ls -l /opt/SecureSpan/Gateway/runtime/lib

-rw-r-----. 1 root root  3385617 Jan 14 04:48 tomcat-embed-core-9.0.52-l7p1.jar

Gateway 10 Cr4 upgrades to tomcat 7.0.99 - not 7.0.100 they are looking at upgrading to this version

Engineering added task to update tomcat to 7.0.100

noted the gateway does not use AJP connector

 

Dev analysis below (reviews from Container GW v10.1)

CVE-2020-1938 (Critical): No impact, Gateway doesn't use AJP connector.

CVE-2019-3842: https://access.redhat.com/security/cve/cve-2019-3842 : No impact in GW (Unless a wrong PAM config file is in place, this vulnerability cannot be triggered on Red Hat Enterprise Linux 7), marked as moderate impact by RedHat and no fix available

CVE-2016-2226: https://access.redhat.com/security/cve/cve-2016-2226 : No impact (native code), marked as low impact by RedHat and no fix available

CVE-2017-9749: https://access.redhat.com/security/cve/cve-2017-9749 : Impacted version is binutils v 2.28 (Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)), marked as low impact by RedHat and no fix available

CVE-2014-4650: https://nvd.nist.gov/vuln/detail/CVE-2014-4650 : Issue with the CGIHTTPServer module in Python, no impact in Gateway

CVE-2017-9756: https://www.cvedetails.com/cve/CVE-2017-9756 : Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2017-9746: https://access.redhat.com/security/cve/cve-2017-9746 : marked as low impact by RedHat, also Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2018-6323: https://access.redhat.com/security/cve/CVE-2018-6323 : marked as low impact by RedHat, also Impacted version is binutils v 2.29.1, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2015-2080 : https://access.redhat.com/security/cve/cve-2015-2080 : GW is using a higher version of Jetty and also as per RedHat this vulnerability is not affected in RHEL7

CVE-2017-9747 : https://access.redhat.com/security/cve/cve-2017-9747 : marked as low impact by RedHat, also Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2017-9748 : https://access.redhat.com/security/cve/cve-2017-9748 : marked as low impact by RedHat, also Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2017-9742 : https://access.redhat.com/security/cve/cve-2017-9742 : marked as low impact by RedHat, also Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2017-9750 : https://access.redhat.com/security/cve/cve-2017-9750 : marked as low impact by RedHat, also Impacted version is binutils v 2.28, Gateway container has 2.27 (binutils-2.27-44.base.el7.x86_64)

CVE-2018-1123 : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1123 : no fix available from RedHat, marked as low impact

CVE-2017-18078: https://access.redhat.com/security/cve/cve-2017-18078 : no fix available from RedHat. As per the mitigation plan, the GW system is protected

To ensure your system is protected, check that `fs.protected_hardlinks` is enabled as in the following example:

  # sysctl fs.protected_hardlinks

  fs.protected_hardlinks = 1

 

Powered by Wolken Software