A KB article on this topic is located here: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management…
Below is a email which was sent to customers on January 5, 2018.
The purpose of this Critical Alert is to inform you of a potential problem that has been recently identified with the CA API Gateway. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.
PRODUCT(S) AFFECTED: CA API Gateway RELEASE: 8.0 thru 9.3
PROBLEM DESCRIPTION:
CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 have been recently identified in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update."
Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution
SYMPTOMS:
"An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian)."
Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution
IMPACT:
All form factors of the CA API Gateway are impacted by this issue.
WORKAROUND:
There is currently no known workaround for this issue.
PROBLEM RESOLUTION:
There is currently no resolution to this issue. As soon as a patch has been made available by affected vendors, CA will issue an expedited patch for the API Gateway. It is strongly advised that customers apply this patch to all API Gateway’s in their environment. Additionally, customers are advised to apply vendor-provided patches to hardware that is being used to run the Virtual Appliance, Container, or Software form factors as they become available.
As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps for updating CA API Gateway.
If you have any questions about this Critical Alert, please contact CA Support.
Thank you,
CA Support Team