Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for the API Management Product Suite

Document ID : KB000017081
Last Modified Date : 30/05/2018
Show Technical Document Details
Introduction:
  • CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 have been recently identified in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update.
  • "An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian)." Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution
  • Note: This is for the first generation of Spectre & Meltdown vulnerabilities. If you are looking for the second generation vulnerabilities, that is discussed on the following KB article: Addressing the Second Generation Spectre and Meltdown Vulnerabilities (CVE-2018-3639) for the API Management Product Suite​
Question:
  • Are any of the CA API Management products vulnerable to the Spectre and/or Meltdown vulnerabilities, including the CA API Gateway, Mobile API Gateway, API Developer Portal, Live API Creator, and others?
Answer:

API Management products currently known to be affected:

  • All form factors of the following products are impacted by this issue:
    • CA API Gateway
      • Customers using the Docker container form factor will need to update the host. The vendor of the host operating system should be issuing a patch. The container itself does not require patching.
      • Customers using the AMI form factor on Amazon should know that Amazon has patched the vulnerability for their EC2 fleet at the hypervisor level. If the Gateway is an AWS AMI image based instance, for unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, please take a snapshot before applying this patch. If the boot error issue ever occurs, you cannot recover the image.
      • Oracle hardware appliances for the API Gateway are still being investigated. CA Technologies is waiting on the appropriate patch from Oracle at this time.
    • CA Mobile API Gateway
    • CA API Developer Portal ("Classic Portal"; version 3.5 & lower)
    • On-premise CA API Developer Portal Enhanced Experience ("Portal"; version 4.0 & higher)
    • CA API Management SaaS ("SaaS Portal")
    • Live API Creator
      • Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.

Workaround / Resolution:

Patches have been issued by CA Technologies for the following products:

  • CA API Gateway
  • CA Mobile API Gateway
  • CA API Developer Portal

Patches can be found on the Solutions & Patches page, and are named as below:

  • CA_API_PlatformUpdate_64bit_v9.X-CentOS-2018-01-05.L7P
  • CA_API_PlatformUpdate_64bit_v9.X-RHEL-2018-01-05.L7P

Any platform updates with dates equal to or later than 2018-01-05 (YYYY-MM-DD) will include the necessary patches to mitigate the vulnerabilities.

The monthly platform update noted above includes the following patches from Red Hat. If more are released, they will also be distributed in the monthly platform updates.

  • kernel-2.6.32-696.18.7.el6.x86_64.rpm
  • kernel-firmware-2.6.32-696.18.7.el6.noarch.rpm

Customers using the AMI form factor on Amazon should know that Amazon has patched the vulnerability for their EC2 fleet at the hypervisor level. If the Gateway is an AWS AMI image based instance, for unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, please take a snapshot before applying this patch. If the boot error issue ever occurs, you cannot recover the image.

In addition to any patches issued by CA Technologies, customers are advised to apply vendor-provided patches to hardware that is being used to run the virtual appliance, container, or software form factors as they become available.

For the CA API Developer Portal Enhanced Experience, customers need to update the kernel by performing the following steps:

  1. Access the affected CA APIM Portal machine
  2. Type sudo yum update and then verify and accept the update
  3. Once the update has been completed, reboot the machine
  4. Access the machine again
  5. Verify that all three (3) CVEs have been fixed by typing rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

Customers consuming the CA API Management SaaS product can read more information on the Meltdown & Spectre vulnerabilities statement as it relates to CA SaaS customers, with the statement copied below for convenience as well:

All CA SaaS services have undergone an initial analysis to identify any impact from the Meltdown and Spectre exploits. We continue to work with our partners to ensure all patches and security updates are applied when available during the next maintenance window.

CA SaaS implements a defense in depth approach to the security of our environments which mitigates the impact of any one vulnerability. We leverage strong authentication, privileged access management, vulnerability and patch management, segmentation, and security monitoring to prevent or detect any malicious activity.

We appreciate your support and understanding as we complete our corrective action plans to ensure the stability and security of your service.

Customers running Live API Creator will need to update the host. The vendor of the host operating system should be issuing such a patch. The application itself does not require patching.

As more information becomes available from third-party vendors, CA will issue additional notifications to advise customers of potential resolutions and next steps if required. CA encourages all customers to enroll in CA proactive notifications in order to receive updates on these kinds of critical vulnerabilities in the future.

Additional Information: