Addressing the "Foreshadow" L1 Terminal Fault Attack Vulnerabilities (CVE-2018-3620 & CVE-2018-3646) for the API Management Product Suite

Document ID : KB000111122
Last Modified Date : 16/08/2018
Show Technical Document Details
Introduction:
  • New Kernel Side-Channel Attack using L1 Terminal Fault CVE-2018-3620 & CVE-2018-3646 have been recently identified in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update.
  • "An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. Ref: https://access.redhat.com/security/vulnerabilities/L1TF
Question:
  • Are any of the CA API Management products vulnerable to the L1 Terminal Fault also known as  "Foreshadow", including the CA API Gateway, Mobile API Gateway, API Developer Portal, Live API Creator, and others?
Answer:

API Management products (or platforms) currently known to be affected:

  • All form factors of the following products are impacted by this issue:
    • CA API Gateway
      • Customers using the Docker container form factor will need to update the host. The vendor of the host operating system should be issuing a patch. The container itself does not require patching.
      • Oracle hardware appliances for the CA API Gateway are still being investigated. CA Technologies is waiting on the appropriate patch from Oracle at this time.
    • CA Mobile API Gateway
    • CA API Developer Portal ("Classic Portal"; version 3.5 & lower)
    • On-premise CA API Developer Portal Enhanced Experience ("Portal"; version 4.0 & higher)
    • Live API Creator
      • Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.
API Management products (or platforms) currently under investigation:
  • CA API Management SaaS ("SaaS Portal")
Workaround / Resolution:

The operating system / platform update patches will be included in the next round of monthly security platform updates issued by CA Technologies for the following products:

  • CA API Gateway
  • CA Mobile API Gateway
  • CA API Developer Portal ("Classic Portal"; version 3.5 & lower)

Patches can be found on the Solutions & Patches page, when available. This line will also be updated once they are released.

In addition to any patches issued by CA Technologies in the future, customers are advised to apply vendor-provided patches to hardware that is being used to run the virtual appliance, container, or software form factors as they become available.

For the CA API Developer Portal Enhanced Experience ("Portal"; version 4.0 & higher), customers need to ensure they keep their systems up-to-date by following the documented procedure for updating the platform. As soon as Red Hat or other operating system vendors release their patches for their respective operating systems, following that documentation will allow those patches to be applied.

Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.

As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps if required. CA encourages all customers to enroll in CA proactive notifications in order to receive updates on these kinds of critical vulnerabilities in the future.

Additional Information: