Vulnerabilities Queries
search cancel

Vulnerabilities Queries

book

Article ID: 393367

calendar_today

Updated On: 05-08-2025

Products

CA API Gateway

Issue/Introduction

The February docker image which includes the patch has been applied.

Image : caapim/gateway:11.1.1_20250228

 

However, the below critical and major vulnerabilities are reported. Can you confirm if the below can be ignored or give us a mitigation plan.

 

CVE-2019-0231

CVE-2022-29546

CVE-2025-23184

CVE-2022-42004

CVE-2024-52046

CVE-2022-1471

CVE-2022-0839

CVE-2021-23926

CVE-2016-1000027

CVE-2022-46337

Environment

API Gateway 11.1

Resolution

These all CVEs are Gateway related CVEs. Not the OS related CVEs. So they will be fixed in the upcoming Gateway Release. 

CVE-2019-0231 - Apache Mina (https://nvd.nist.gov/vuln/detail/cve-2019-0231) and CVE-2024-52046 - Apache Mina (https://nvd.nist.gov/vuln/detail/CVE-2024-52046):

We are upgrading Mina version to 2.1.8 in the GW 11.1.2 release. So it will be mitigated there.

 

CVE-2025-23184 - Apache CXF (https://nvd.nist.gov/vuln/detail/CVE-2025-23184): It is addressed in GW 11.1.2 release.

 

CVE-2022-1471 - SnakeYaml (https://nvd.nist.gov/vuln/detail/cve-2022-1471): It is upgraded to 2.3 in GW 11.1.2 release.

 

CVE-2016-1000027 - Spring Framework (https://nvd.nist.gov/vuln/detail/cve-2016-1000027): We are moving to Spring 6.x and is planned for 11.2 GW release (tentative).  

 

CVE-2022-42004 - FasterXML jackson-databind ( https://nvd.nist.gov/vuln/detail/cve-2022-42004):

Jackson will be upgraded to higher version already and will be part of 11.1.2 release. But in one use case, there is a transitive dependency but that does not affect us.

 

CVE-2022-46337 - authenticated Derby installations (https://nvd.nist.gov/vuln/detail/cve-2022-46337)

In gateway Apache Derby is not exposed to outside users via LDAP, Derby is consumed by Gateway APIs only, Hence direct LDAP to derby DB is not valid in gateway, Also severity is low : https://lists.apache.org/thread/q23kvvtoohgzwybxpwozmvvk17rp0td3

 

CVE-2021-23926 - XMLParser by XMLBeans (https://nvd.nist.gov/vuln/detail/cve-2021-23926): XMLBeans is upgraded to 3.1.0 and will be available in 11.1.2 GW release.

 

We have a GW 11.1.2 release which is coming by end of March 2025

 

Note:  MPPs will not address any of these CVEs.

Powered by Wolken Software