Need to find the CVE which were fixed between Layer 7 10.0 and 10.1 with respect to JSON Schema Validations
search cancel

Need to find the CVE which were fixed between Layer 7 10.0 and 10.1 with respect to JSON Schema Validations

book

Article ID: 260778

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

There were some critical CVE in JSON schema v2 because of which Layer 7 10.1 was using V4.

Critical Vulnerability:

 

JSON Schema

Beginning with Gateway version 10.0 CR1, JSON Schema v2 has been deprecated due to critical CVEs found in a third-party library. Users are advised to upgrade any existing JSON schemas from v2 to v4 in their affected Gateway policy assertions (e.g., Validate JSON Schema Assertion (Threat Protection)) before upgrading to version Gateway 10.0 CR1 or newer. Users of API Portal also should also review KB 199747: Compatibility with API Portal 4.x and API Gateway 10 CR1.

Need to know what all CVE are fixed and how do we find in our Layer 7 policies if they are being compromised. Our layer 7 10.0 does use JSON v2 but we need to know if the system is exploited. Please let us know this information.

 

Environment

Release : 10.1

Resolution

Details on the update to JSON v4

In the Dev ticket to update this library does not list all the cve’s, but they are known searching jackson-core-asl 1.9.7 

The vulnerabilities affect the jackson-core libraries - it resulted in removal/update of JSON v2

https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-core-asl/1.9.7

  • jackson-core-asl:  current version is 1.9.7. The upgrade will result in removal of JSON Schema Draft v2 support from Gateway. need to upgrade to FasterXML Jackson libraries in other components so that impact can be reduce to only JSON Schema Validation Assertion. Other areas are:
    • SoapFaultManager
    • ApiPortalIntegrationAssertion
    • JwtAssertion
    • JsonDocumentStructureAssertion
    • PortalUpgradeAssertion
    • JsonJoltAssertion
    • PortalBootstrapAssertion 

jackson-core-asl update has effect on JSON operation/transformation, JSON schema, JSON path related assertions