There were some critical CVE in JSON schema v2 because of which Layer 7 10.1 was using V4.
Critical Vulnerability:
JSON Schema |
Beginning with Gateway version 10.0 CR1, JSON Schema v2 has been deprecated due to critical CVEs found in a third-party library. Users are advised to upgrade any existing JSON schemas from v2 to v4 in their affected Gateway policy assertions (e.g., Validate JSON Schema Assertion (Threat Protection)) before upgrading to version Gateway 10.0 CR1 or newer. Users of API Portal also should also review KB 199747: Compatibility with API Portal 4.x and API Gateway 10 CR1. |
Need to know what all CVE are fixed and how do we find in our Layer 7 policies if they are being compromised. Our layer 7 10.0 does use JSON v2 but we need to know if the system is exploited. Please let us know this information.
Release : 10.1
Details on the update to JSON v4
In the Dev ticket to update this library does not list all the cve’s, but they are known searching jackson-core-asl 1.9.7
The vulnerabilities affect the jackson-core libraries - it resulted in removal/update of JSON v2
https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-core-asl/1.9.7
jackson-core-asl update has effect on JSON operation/transformation, JSON schema, JSON path related assertions