Vulnerability in embedded MySQL of a Layer7 OVA appliance
search cancel

Vulnerability in embedded MySQL of a Layer7 OVA appliance

book

Article ID: 280047

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our vulnerability checking tools have found an issue on the OVA 10.1 CR3 version of Layer7 API Gateway.


Title:
Oracle MySQL JAN 2024 Critical Patch Update (CPUJAN2024)
-------------------------------
CVE:
CVE-2023-39975| CVE-2024-20968| CVE-2023-5363| CVE-2024-20960| CVE-2024-20961| CVE-2024-20962| CVE-2024-20963| CVE-2024-20964| CVE-2024-20965| CVE-2024-20966| CVE-2024-20967| CVE-2024-20969| CVE-2024-20970| CVE-2024-20971| CVE-2024-20972| CVE-2024-20973| CVE-2024-20974| CVE-2024-20976| CVE-2024-20977| CVE-2024-20978| CVE-2024-20981| CVE-2024-20982| CVE-2024-20984| CVE-2024-20985| CVE-2024-20975| CVE-2024-20983
-------------------------------
Threat:
This Critical Patch Update contains patches for 5.7.x, 8.0.x and 8.x.y oracle MySQL server 

Affected Versions: MySQL Server versions 8.0.35 and prior MySQL Server versions 8.1.0. MySQL Server versions 8.2.0 and prior 

QID Detection Logic (Authenticated):(Linux) This QID fires mysqld -V command to check the vulnerable versions of MySQL.  
QID Detection Logic (Unauthenticated): This QID detects vulnerable versions of MySQL via the banner exposed by the service.
-------------------------------
Impact:
Successful exploitation could allow an attacker to affect the confidentiality, integrity, and availability of data on the target system.
-------------------------------
Results:
mysqld -V
/usr/sbin/mysqld  Ver 8.0.35-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial) 
service mysql status 
systemctl status mysql#
-------------------------------
Solution:
Refer to vendor advisory Oracle MySQL OCT 2023  (https://www.oracle.com/security-alerts/cpujan2024.html). 
 Patch: 
Following are links for downloading patches to fix the vulnerabilities:
  CPUJAN2024 (https://www.oracle.com/security-alerts/cpujan2024.html)

Environment

All supported API Gateway versions

Resolution

The listed CVEs are addressed on 8.0.36 for MySQL Server. Our January MPP (Monthly Platform Patch) consists MySQL 8.0.36, so please install the Jan 2024 MPP. Get the latest MPP from the below links:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/CA-API-Gateway-Solutions--Patches/3024

Patching Guide:

https://knowledge.broadcom.com/external/article/240851/ca-api-gateway-10x-patching-guide.html

For Gateway 11 please install the latest monthly patch 

Layer7_API_PlatformUpdate_64bit_v11.X-Debian-2024-03-26.zip

Downloaded link:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/release-announcements/CA-API-Gateway-Solutions--Patches/3024

This patch updates  mysql to 8.0.36

Powered by Wolken Software