Layer7 API Management

 View Only
  • 1.  Oracle Java Vulnerabilities

    Posted Aug 23, 2019 02:46 PM
    Hi,

    Our current API Gateway's are running on v9.3 (ssg-9.3.00-9006_CR04.noarch) and when we ran our security scans using Nessus Agent on the servers for scanning through Tenable, we are getting the following vulnerability error. The path it is referring to is /opt/SecureSpan/JDK/bin

    Oracle Java SE 1.7.0_221 / 1.8.0_211 / 1.11.0_3 / 1.12.0_1 Multiple Vulnerabilities (Apr 2019 CPU) (Unix)
    The remote Unix host contains a programming platform that is affected
    by multiple vulnerabilities.

    The scans suggest the following solution,

    Upgrade to Oracle JDK / JRE 12 Update 1 , 11 Update 3, 8 Update 211 / 7 Update 221 or later. If necessary, remove any affected versions.

    How do we get through these errors ?  Do we have any patch (with latest Java 8 update 211 or latter) readily available to remediate this issue.
    I have already applied the latest monthly platform update (CA_API_PlatformUpdate_64bit_v9.X-RHEL-2019-07-25.L7P)  as well but it didn't help.



    ------------------------------

    Thanks 
    Prashanth
    ------------------------------


  • 2.  RE: Oracle Java Vulnerabilities
    Best Answer

    Broadcom Employee
    Posted Sep 06, 2019 03:13 AM
    Hi Prashanth,

    This issue is resolved with the introduction fo the version 9.4 CR3 https://docops.ca.com/ca-api-gateway/9-4/en/release-notes-9-4/resolved-issues#ResolvedIssues-IssuesResolvedinVersion9.4CR3 

    You can download the patch/updates from here https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-api-gateway-solutions-and-patches.html 

    Hope this help,

    Thanks,
    Diego Martins




  • 3.  RE: Oracle Java Vulnerabilities

    Posted Sep 13, 2019 12:11 PM
    Thanks. We upgraded to v9.4 and applied CR03 patch thats ships with openjdk version "1.8.0_222" , and all vulnerabilities got cleared.