Layer7 API Management

Proactive Notification Advisory for CA API Gateway 

04-06-2017 06:07 AM

CA API Gateway

 

Date: April 5, 2017

 

 

Dear CA Customer:

 

The purpose of this Advisory is to inform you of a potential problem that has been recently identified with CA API Gateway.  Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.  

 

PRODUCT(S) AFFECTED: CA API Gateway                            RELEASE: 7.x thru 9.1

PROBLEM DESCRIPTION:

Customer policies that use the “Change Content Type” assertion with the “re-initialize message” checkbox enabled can lead to improper reuse of an internal pooled buffer, resulting in data corruption or information leakage.

 

This problem occurs on all Gateway form factors, for the versions listed below:

 

·        Gateway version 9.2 is not vulnerable to this issue

 

·        Gateway versions between 8.3 and 9.1 (inclusive) are vulnerable if using this combination of assertions in their service policies.  Gateways not using this combination of assertions in their policies are not known to be vulnerable, however CA recommends proactively disabling pooled buffers as a precaution.

 

·        Gateway versions between 7.1 and 8.2 (inclusive) are not known to be vulnerable, however CA recommends proactively disabling pooled buffers in those versions as a precaution.
 


SYMPTOMS:
This issue impacts all Gateways if the “Change Content-type” is used with “re-initialize message” option.  To verify whether this combination exists on your Gateway, do the following:

 

  • Log in to the Gateway through SSH or terminal as the ssgconfig user
  • Choose option 3) Use a privileged shell
  • At the root prompt, add the following commands:
    • mysql ssg -e "select name from published_service where policy_xml like '%L7p:ReinitializeMessage%'"
    • mysql ssg -e "select name from policy where xml like '%L7p:ReinitializeMessage%'"

 

If the row count from either of these queries is greater than zero, at least one policy or policy fragment contains the assertion configuration that will cause the issue to occur.
 
IMPACT:
Possible disclosure of sensitive information, or data corruption, via an improperly re-used buffer.

 

For customers that are using the Change Content Type assertion with re-initialize method enabled, the buffer pool functionality should be disabled immediately.

 

For other customers, the buffer pool functionality should be disabled at the earliest safe opportunity.
 
WORKAROUND:
There are no known workarounds for this issue, other than the problem resolution below to disable the buffer pool.
 
PROBLEM RESOLUTION:
The following steps describe how to disable the buffer pool in the Gateway JVM:

 

  • Log in to the Gateway through SSH or terminal as the ssgconfig user
  • Choose option 3) Use a privileged shell
  • At the root prompt, add the following command
    • echo 'SSG_JAVA_OPTS="$SSG_JAVA_OPTS -Dcom.l7tech.util.BufferPool.enabled=false"' > /opt/SecureSpan/Gateway/runtime/etc/profile.d/xbufferpool.sh
  • Confirm that the xbufferpool.sh file exists, and contains the expected line:
    • cat /opt/SecureSpan/Gateway/runtime/etc/profile.d/xbufferpool.sh
  • Expected output:
    • SSG_JAVA_OPTS=”$SSG_JAVA_OPTS –Dcom.l7tech.util.BufferPool.enabled=false”
  • Update Rights and Owner for the added files
    • cd /opt/SecureSpan/Gateway/runtime/etc/profile.d
    • chown layer7:layer7 xbufferpool.sh
    • chmod 555 xbufferpool.sh
  • Restart the Gateway node
    • service ssg restart
  • Confirm that the buffer pool is disabled in the Gateway java settings:
    • ps auxww | grep BufferPool
  • Expected output:
    • “-Dcom.l7tech.util.BufferPool.enabled=false” is listed in the “gateway” process

 

If you have any questions about this Advisory, please contact CA Support.
 
Thank you,

CA Support Team

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

04-06-2017 07:54 AM

Thanks a lot for information !!

 

Regards,

Ankush

04-06-2017 06:38 AM

The notification says Gateway versions between 8.3 and 9.1 (inclusive) are vulnerable

04-06-2017 06:19 AM

Is this vulnerability exists for version 8.4 and 9.0 as well?

 

Thanks,

Ankush

Related Entries and Links

No Related Resource entered.