CVE/Vulnerabilities in Software Gateway in 11.1
search cancel

CVE/Vulnerabilities in Software Gateway in 11.1

book

Article ID: 373893

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Software Gateway 11.1.00  Current SSG Version: ssg-11.1.00-17707.noarch.  List of CVE was provided 

Environment

Gateway 11.1

Resolution

Reviewed the list of High, Critical CVEs.  Broadcom API Management product team does not typically review Medium severity CVEs

Four KBs each containing CVE listed

KB 275070

KB 267321

KB 238288

KB 281962

Critical:

CVE-2021-23926 : Gateway is not affected, XML parsing in Gateway is usually done through a parser that disallows external entities.

CVE-2022-1471 can be mitigated, Gateway does not use SnakeYaml's Constructor class directly, and the swagger-parser library code also uses recommended SafeConstructor class, so no impact by this.

CVE-2019-13990 is part of quartz-jobs package (org.quartz.jobs.ee.jms.SendQueueMessageJob), Gateway does not use/ship quartz-jobs package, so this CVE has no impact.

CVE-2016-1000027:  Gateway, and Portal spring versions are not impacted by this CVE.

We do not use Java serialization and are not exposing  HTTP Invoker endpoints from spring.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027 
https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now 
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525 

CVE-2024-28752 Gateway Not using Apache CXF jar on MTOM Assertion.

CVE-2022-46364 - Gateway Not using Apache CXF jar on MTOM Assertion.

 

High

CVE-2019-0231 - Black Duck Security Advisory (BDSA) team has determined it is not affected and the GW engineering team classified this as medium impact

CVE-2023-2976  FileBackedOutputStream not using in gateway (for both jars)

CVE-2023-6378  logback receiver component is not used by API Gateway , so there is no direct impact of this vulnerability.

PRISMA-2023-0067 - NOTE  Broadcom needs cve to investigate further

CVE-2024-22243, CVE-2024-22259, CVE-2024-22259 - spring-web  5.3.30

KB 281962

Vulnerability scan is flagging CA API Gateways with the Spring Framework Open Redirect Vulnerability due to

/opt/SecureSpan/Controller/lib/spring-core-5.3.30.jar

and /

opt/SecureSpan/Gateway/runtime/lib/spring-core-5.3.30.jar.

CVE-2024-22259  (https://spring.io/security/cve-2024-22259 )

CVE-2022-25647 As per the vulnerability fix provided here (https://github.com/google/gson/pull/1991/files, none of these classes are being used directly or indirectly in Gateway modules, so this CVE does not affect Gateway.

CVE-2023-36478 https://nvd.nist.gov/vuln/detail/CVE-2023-36478 HIGH filePath: opt/SecureSpan/Gateway/runtime/lib/ehcache-2.10.9.2.jar IGNORED

This vulnerability affects Jetty, which is used by API Gateway 10.x, 11.0 for HTTP/2 listen ports (inbound) implementation.

Since the CVE-2023-44487 requires a malicious client to exploit it, the HTTP/2 routing assertion (outbound) is not affected.  This vulnerability has been addressed in 10.1 CR04 and 11.0 CR02  

CVE-2021-46877 Gateway does not make use of the vulnerable class/functionality i.e. NodeSerialization

CVE-2019-12419  is related to the OpenId Connect service and access tokens. "Users of Apache CXF that rely on the OpenId Connect service should update to either the 3.3.4 or 3.2.11 releases.".   Gateway does not use this package, so not vulnerable

CVE-2022-42003 CVE description says, resource exhaustion can occur because of a lack of a check-in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.  DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS is not enabled in Gateway and the default is false (not enabled), so this CVE does not have any impact

CVE-2022-42004 CVE description says an application is vulnerable only with certain customized choices for deserialization.  Gateway uses the default settings of ObjectMapper class and no customized choices for deserialization, so this CVE may not be applica

CVE-2022-24839 https://nvd.nist.gov/vuln/detail/CVE-2022-24839  HIGH opt/SecureSpan/Gateway/runtime/lib/nekohtml-1.9.15.jar

CVE-2019-12419 - org.apache.cxf_cxf-core

CVE-2019-12419  is related to the OpenId Connect service and access tokens. "Users of Apache CXF that rely on the OpenId Connect service should update to either the 3.3.4 or 3.2.11 releases.".   Gateway does not use this package, so not vulnerable

CVE-2022-46363 - As per the description, "The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together". It is an unlikely scenario in Gateway i.e CXFServlet is not configured for static-resources-list, it is being handled by another servlet in 'PCServletContainer', so Gateway has no impact by this CVE 

 CVE-2022-0839  org.liquibase:liquibase-core (liquibase-4.5.0.jar)
Gateway is not affected as it does use Liquibase to install/upgrade DB schema from the SSG config menu.  there is no server component used.

Additional Information

  • Spring Framework is expected to be upgraded to 6.x in 11.2 version (ETA November 2025)
  • (CVE-2022-1471) SnakeYaml is expected to be upgraded to 2.17.x in 11.1.2 version (ETA March 2025)
Powered by Wolken Software