CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 have been recently identified in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update.
"An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian)."
Are any of the CA API Management products vulnerable to the Spectre and/or Meltdown vulnerabilities, including the CA API Gateway, Mobile API Gateway, API Developer Portal, Live API Creator, and others?
API Management products currently known to be affected:
- All form factors of the following products are impacted by this issue:
- CA API Gateway
- Customers using the Docker container form factor will need to update the host. The vendor of the host operating system should be issuing a patch. The container itself does not require patching.
- Customers using the AMI form factor on Amazon should know that Amazon has patched the vulnerability for their EC2 fleet at the hypervisor level. Recently, CA has become aware of some compatibility issues between the monthly platform patch and the latest patches from Amazon. Customers should refrain from installing the latest monthly platform patch in the AMI form factor for the time being. This note will be removed when this is no longer an issue.
- Oracle hardware appliances for the API Gateway are still being investigated. CA Technologies is waiting on the appropriate patch from Oracle at this time.
- CA Mobile API Gateway
- CA API Developer Portal ("Classic Portal"; version 3.5 & lower)
- On-premise CA API Developer Portal Enhanced Experience ("Portal"; version 4.0 & higher)
- CA API Management SaaS ("SaaS Portal")
- Live API Creator
- Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.
- CA API Gateway
Workaround / Resolution:
Patches have been issued by CA Technologies for the following products:
- CA API Gateway
- CA Mobile API Gateway
- CA API Developer Portal
Patches can be found on the Solutions & Patches page, and are named as below:
Any platform updates with dates equal to or later than 2018-01-05 (YYYY-MM-DD) will include the necessary patches to mitigate the vulnerabilities.
The monthly platform update noted above includes the following patches from Red Hat. If more are released, they will also be distributed in the monthly platform updates.
In addition to any patches issued by CA Technologies, customers are advised to apply vendor-provided patches to hardware that is being used to run the virtual appliance, container, or software form factors as they become available.
For the CA API Developer Portal Enhanced Experience, customers need to update the kernel by performing the following steps:
- Access the affected CA APIM Portal machine
- Type sudo yum update and then verify and accept the update
- Once the update has been completed, reboot the machine
- Access the machine again
- Verify that all three (3) CVEs have been fixed by typing rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Customers consuming the CA API Management SaaS product can read more information on the Meltdown & Spectre vulnerabilities statement as it relates to CA SaaS customers, with the statement copied below for convenience as well:
All CA SaaS services have undergone an initial analysis to identify any impact from the Meltdown and Spectre exploits. We continue to work with our partners to ensure all patches and security updates are applied when available during the next maintenance window.
CA SaaS implements a defense in depth approach to the security of our environments which mitigates the impact of any one vulnerability. We leverage strong authentication, privileged access management, vulnerability and patch management, segmentation, and security monitoring to prevent or detect any malicious activity.
We appreciate your support and understanding as we complete our corrective action plans to ensure the stability and security of your service.
As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps if required. CA encourages all customers to enroll in CA proactive notifications in order to receive updates on these kinds of critical vulnerabilities in the future.
- Meltdown & Spectre information: https://meltdownattack.com/
- Red Hat article on these vulnerabilities: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Solutions & Patches page: https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-api-management-solutions-and-patches.html
- Meltdown & Spectre Vulnerability Statement from CA: https://support.ca.com/us/product-content/recommended-reading/security-notices/meltdown---spectre-vulnerabilities-statement.html
- CA - Enroll in Proactive Notifications: https://communities.ca.com/thread/241784972-how-to-get-proactive-notifications
- Amazon Processor Speculative Execution Research Disclosure article: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/