The Policy Manager does not contain Apache HTTP server parts and will not be affected.

The Gateway itself contains Jetty (9.3.8.v20160314 in 10.1) , which contains parts of Apache HTTP server

Our client is wondering if the API Gateway is hit by CVE-2023-25690?

Release : 10.1

Both vulnerabilities are related to Apache HTTP Server (from version 2.4.30 through 2.4.55) which is not installed neither used in API Gateway.

We use Apache Tomcat version 9.x, hence the Gateway is NOT affected by CVE-2023-25690 or CVE-2023-27522.