Is the API Gateway impacted by CVE-2022-34169?
API Gateway 10.X
The CVE description says, 'An integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode'.
The gateway is not using the XSLTC compiler to compile the style sheets, so this CVE does not affect the Gateway.
The jar file in question is xalan-2.7.2.jar. The GW is using a patched version of this jar file (xalan-2.7.2-l7p1.jar). The xsltc module files that expose the vulnerability have been removed from the patched jar file.