About the API-GW OracleJDK vulnerability

Document ID : KB000096551
Last Modified Date : 17/05/2018
Show Technical Document Details
Question:
Does API Gateway take the influence of the security vulnerability? 
If so, is the fix included in the product? 
・CVE-2018-2783
・CVE-2018-2795
・CVE-2018-2798
・CVE-2018-2800
 
Answer:
CVE-2018-2783 (Java Security module - unspecified security fix) - High Severity
 Since this vulnerability detail is not disclosed, we don't know if Gateway is affected or not.
 Java Security module is a widely used component

CVE-2018-2795 (Java Security module - insufficient consistency checks in deserialization) - Medium Severity
 Gateway may be affected by this CVE
 Java Security module is a widely used component
 The CVE and its bug report do not reveal low level details so it is hard to assess the true exploitability

CVE-2018-2798 (Java AWT module - unbounded memory allocation when deserializing) - Medium Severity
 Gateway may be affected by this CVE
 Java AWT module is a widely used common component in Java for creating user interface components such as dialog buttons and scrollbars hence Gateway has common usage of certain components.
 The CVE and its bug report does not reveal low level details for us to check the true exploitability, but from the information given and how Gateway uses JDK (not as Java applet, etc), the exploitability from a remote user seems very low.


CVE-2018-2800 (Java RMI module - HTTP protocol enabled by default) - Medium Severity
 Gateway is not affected by this CVE.
 Gateway does use RMI module for Gateway Policy admin logging into Gateway server. However, this connection already happens over a HTTPS configured listen port (managed by Gateway admin) so HTTP traffic is handled properly already. Also, this Gateway admin login functionality is only enabled over HTTPS connection, not HTTP.

* Gateway 9.3 CR2 patch will have the updated JDK fix.