Layer7 API Management

Hello, I was wondering if patching of the https://meltdownattack.com/ vulnerability was under way and when we can expect it to be available for CA API Gateway version 9. I haven't seen any announcement yet via email or otherwise around the CA website (It's quite possible I haven't been looking in the right place).

Regards

Jeff Michaud

Hi Jeff,

The latest platform patches can be found here: CA API Management Solutions & Patches - CA Technologies 

This will address vulnerabilities. That being said it seems the team is investigating this at the moment and we have no ETA available.

We are tracking it internally via id DE337697. If you subscribe to the proactive notification emails you will be notified of the next release.

Regards,

Joe

Are there recommendations we can implement manually on the gateway (9.0 API Gateway image running on AWS). I realize this may make subsequent patching unstable but the vulnerability is critical and must be patched quickly; any information along that line would also be useful.

Regards

Jeff Michaud

Hi Jeff,

At this time I am not aware of any way to mitigate this. I would recommend opening a support case and referencing 'DE337697' so we can help prioritize this for you.

Regards,

Joe

Hello Jeff,

The type of patch needed for these vulnerabilities is not an application-specific patch (something CA can control), it is needing to be patched at the operating system level. CA is actively staying on top of this, but we are at the mercy of the various operating system vendors at this point in time. We are waiting to receive the patches from our vendors for the appropriate platforms, such as Red Hat for all of our Gateway appliance images that are built on top of the Red Hat Enterprise Linux operating system. As soon as we receive such a patch from our vendors, we will then be releasing an urgent patch to our customers just as quickly as we can. There is nothing to my knowledge which can be done any earlier than that.

Almost the entire world is at the mercy of the vendors at the "top level" (such as Microsoft, Red Hat, Apple, etc.) who control the operating systems running on top of the architecture where the vulnerability exists.

Sincerely,

Dustin Dauncey
Sr Support Engineer, Global Customer Success
Email: Dustin.Dauncey@ca.com
Phone: +1 800 225 5224 ,48385
Phone if outside North America - https://tinyurl.com/CAContactSupport
CA API Management Community: https://tinyurl.com/CAAPIMCommunity

Details about subscribing to proactive notifications can be found here: How to get Proactive Notifications 

Hope this helps.

Regards,

Joe

Interestingly, no products are listed for my account (IE or Firefox).

Regards,

Jeff Michaud

Hello,

You may need to call in to our Global Support Centre and let them know what you're running into. They can ensure that all of your licenses and such are up-to-date and appropriate for your site ID. They can be reached at the toll-free number for CA Support, which is +1 800 225 5224.

Sincerely,

Dustin Dauncey
Sr Support Engineer, Global Customer Success
Email: Dustin.Dauncey@ca.com
Phone: +1 800 225 5224 ,48385
Phone if outside North America - https://tinyurl.com/CAContactSupport
CA API Management Community: https://tinyurl.com/CAAPIMCommunity

A KB article on this topic is located here: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management… 

Below is a email which was sent to customers on January 5, 2018.

The purpose of this Critical Alert is to inform you of a potential problem that has been recently identified with the CA API Gateway. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.

PRODUCT(S) AFFECTED: CA API Gateway      RELEASE: 8.0 thru 9.3

PROBLEM DESCRIPTION:

CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 have been recently identified in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update."

Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution

SYMPTOMS:
"An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian)."

Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution

IMPACT:
All form factors of the CA API Gateway are impacted by this issue.

WORKAROUND:
There is currently no known workaround for this issue.

PROBLEM RESOLUTION:
There is currently no resolution to this issue. As soon as a patch has been made available by affected vendors, CA will issue an expedited patch for the API Gateway. It is strongly advised that customers apply this patch to all API Gateway’s in their environment. Additionally, customers are advised to apply vendor-provided patches to hardware that is being used to run the Virtual Appliance, Container, or Software form factors as they become available.

As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps for updating CA API Gateway.

If you have any questions about this Critical Alert, please contact CA Support.
 
Thank you,

CA Support Team

All,

Just to close the loop here. We have released a patch on the below site to address this.

Patch for Spectre and Meltdown CVE-2017-5754, CVE-2017-5753, CVE-2017-5715

CA API Management Solutions & Patches - CA Technologies 

A KB article on this topic is located here: Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management… 

Regards,

Joe