Addressing Vulnerabilities Against the API Management Product Suite When Reported by Automated Security Scanning Tools

Document ID : KB000010576
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA Technologies considers the security posture of its products to be paramount to developing quality software. The API Management suite — including but not limited to the API Gateway, the API Developer Portal, and the Mobile API Gateway — are tested regularly by the CA Engineering team to ensure compliance with contemporary security checklists and verify that no dependencies used by these products are subject to exploitation or other vulnerabilities.

Background:

Common Vulnerabilities & Exposures (CVEs) are incredibly important to stay on top of to avoid any negative consequences to the environment. CA Technologies encourages all customers to always install the latest monthly platform patch in order to address all CVEs related to third-party dependencies. It is recommended that this become part of a monthly maintenance routine.

The definition of a CVE according to mitre.org is as follows:

A CVE is a list of information on security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Environment:
This article applies to all CA API Management products, particularly if a vulnerability or penetration test was performed and insights were provided by the tool suggesting a weakness to be resolved.
Instructions:

If an automated reporting tool or manual audit of a system implies that a security vulnerability exists on the API Gateway, then the following procedure should be executed prior to contacting CA Support:

  1. Check the knowledge base for known or named vulnerabilities, as CA Support has already published many articles to address these already.
  2. Ensure the API Gateway appliance being scanned has been patched with the latest monthly platform update (also known as a security patch), hosted on the Solutions & Patches page.
  3. Check a CVE number against the Red Hat CVE database to ensure that the product of concern has not already been updated by Red Hat.
    • CA Technologies relies upon upstream vendors for dependency updates. Products such as OpenSSL and MySQL may have had updates applied to those products by vendors without modifying the version numbers of those products. This convention can unfortunately lead to false-positives by automated scanning tools. The most accurate way to know if it is a false-positive is by reviewing it in the Red Hat CVE database.
  4. Run the automated scan / audit again after the steps above are complete. If a genuine concern still exists, a support case should be created.

A note on generic security configuration recommendations by automated tools:

It should be understood that any configuration recommendations (non-CVEs) suggested by automated scanning tools are not generally recommended or encouraged by CA Technologies. While in some cases the recommendation may be desirable or may work without issue, it is important to know that many of the configurations in the appliances come "out of the box" the way they are for a reason. Any changes to the configuration of such critical components such as MySQL or the appliance file system may negatively impact the environment. In addition, QA testing is done on the "out of the box" security configurations rather than any possible customizations, so there is an inherent risk to modifying any of these components. Any changes done to meet IT security policies are considered to be done "at your own risk".

Additional Information:

Commonly viewed security vulnerability KB articles with responses from CA Technologies:

When opening a new support case to report a vulnerability, the following items should be provided up front:

  • Output of the following commands:
    • rpm -q ssg ssg-appliance
    • uname -a
    • dmidecode -t 1
  • A copy of the following file: /opt/SecureSpan/Controller/var/logs/patches.log
  • Any applicable CVE identifiers.
  • Any applicable RHSA identifiers.
  • Any applicable identifiers from other vendors.
  • The name of the tool used to scan the CA API Management appliance.
  • Detailed information regarding the impact of any reported vulnerabilities. This includes a business impact.