• "On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems."

• Note: This is for the second generation of Spectre & Meltdown vulnerabilities. If you are looking for the first generation vulnerabilities, that is discussed on the following KB article: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite

• Are any of the CA API Management products vulnerable to the second generation of Spectre and/or Meltdown vulnerabilities (CVE-2018-3639), including the CA API Gateway, Mobile API Gateway, API Developer Portal, Live API Creator, and others?

API Management products currently known to be affected:

• All form factors of the following products are impacted by this issue:
  • CA API Gateway
    • Customers using the Docker container form factor will need to update the host. The vendor of the host operating system should be issuing a patch. The container itself does not require patching.
    • If the Gateway is an AWS AMI image based instance, for unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, please take a snapshot before applying this patch. If the boot error issue ever occurs, you cannot recover the image.
    • Oracle hardware appliances for the API Gateway are still being investigated. CA Technologies is waiting on the appropriate patch from Oracle at this time.
  • CA Mobile API Gateway
  • CA API Developer Portal ("Classic Portal"; version 3.5 & lower)
  • On-premise CA API Developer Portal Enhanced Experience ("Portal"; version 4.0 & higher)
  • CA API Management SaaS ("SaaS Portal")
  • Live API Creator
    • Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.

Workaround / Resolution:

Patches have been issued by CA Technologies for the following products:

• CA API Gateway
• CA Mobile API Gateway
• CA API Developer Portal

Patches can be found on the Solutions & Patches page, and are named as below:

• CA_API_PlatformUpdate_64bit_v9.X-CentOS-2018-05-24.L7P
• CA_API_PlatformUpdate_64bit_v9.X-RHEL-2018-05-24.L7P

Any platform updates with dates equal to or later than 2018-05-24 (YYYY-MM-DD) will include the necessary patches to mitigate the vulnerabilities.

If the Gateway is an AWS AMI image based instance, for unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, please take a snapshot before applying this patch. If the boot error issue ever occurs, you cannot recover the image.

In addition to any patches issued by CA Technologies, customers are advised to apply vendor-provided patches to hardware that is being used to run the virtual appliance, container, or software form factors as they become available.

For the CA API Developer Portal Enhanced Experience, customers need to update the kernel by performing the following steps:

1. Access the affected CA APIM Portal machine
2. Type sudo yum update and then verify and accept the update
3. Once the update has been completed, reboot the machine
4. Access the machine again
5. Verify that all three (3) CVEs have been fixed by typing rpm -q --changelog kernel | egrep 'CVE-2018-3639'

Customers consuming the CA API Management SaaS product can read more information on the Meltdown & Spectre vulnerabilities statement as it relates to CA SaaS customers, with the statement copied below for convenience as well:

All CA SaaS services have undergone an initial analysis to identify any impact from the Meltdown and Spectre exploits. We continue to work with our partners to ensure all patches and security updates are applied when available during the next maintenance window.

CA SaaS implements a defense in depth approach to the security of our environments which mitigates the impact of any one vulnerability. We leverage strong authentication, privileged access management, vulnerability and patch management, segmentation, and security monitoring to prevent or detect any malicious activity.

We appreciate your support and understanding as we complete our corrective action plans to ensure the stability and security of your service.

Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.

As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps if required. CA encourages all customers to enroll in CA proactive notifications in order to receive updates on these kinds of critical vulnerabilities in the future.

• Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite