API Management products currently known to be affected:
Workaround / Resolution:
Patches have been issued by CA Technologies for the following products:
Patches can be found on the Solutions & Patches page, and are named as below:
Any platform updates with dates equal to or later than 2018-01-05 (YYYY-MM-DD) will include the necessary patches to mitigate the vulnerabilities.
The monthly platform update noted above includes the following patches from Red Hat. If more are released, they will also be distributed in the monthly platform updates.
Customers using the AMI form factor on Amazon should know that Amazon has patched the vulnerability for their EC2 fleet at the hypervisor level. If the Gateway is an AWS AMI image based instance, for unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, please take a snapshot before applying this patch. If the boot error issue ever occurs, you cannot recover the image.
In addition to any patches issued by CA Technologies, customers are advised to apply vendor-provided patches to hardware that is being used to run the virtual appliance, container, or software form factors as they become available.
For the CA API Developer Portal Enhanced Experience, customers need to update the kernel by performing the following steps:
Customers consuming the CA API Management SaaS product can read more information on the Meltdown & Spectre vulnerabilities statement as it relates to CA SaaS customers, with the statement copied below for convenience as well:
All CA SaaS services have undergone an initial analysis to identify any impact from the Meltdown and Spectre exploits. We continue to work with our partners to ensure all patches and security updates are applied when available during the next maintenance window.
CA SaaS implements a defense in depth approach to the security of our environments which mitigates the impact of any one vulnerability. We leverage strong authentication, privileged access management, vulnerability and patch management, segmentation, and security monitoring to prevent or detect any malicious activity.
We appreciate your support and understanding as we complete our corrective action plans to ensure the stability and security of your service.
Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.
As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps if required. CA encourages all customers to enroll in CA proactive notifications in order to receive updates on these kinds of critical vulnerabilities in the future.