If an automated reporting tool or manual audit of a system implies that a security vulnerability exists on the API Gateway, then the following procedure should be executed prior to contacting CA Support:
- Check the knowledge base for known or named vulnerabilities, as CA Support has already published many articles to address these already.
- Ensure the API Gateway appliance being scanned has been patched with the latest monthly platform update (also known as a security patch), hosted on the Solutions & Patches page.
- Check a CVE number against the Red Hat CVE database to ensure that the product of concern has not already been updated by Red Hat.
- CA Technologies relies upon upstream vendors for dependency updates. Products such as OpenSSL and MySQL may have had updates applied to those products by vendors without modifying the version numbers of those products. This convention can unfortunately lead to false-positives by automated scanning tools. The most accurate way to know if it is a false-positive is by reviewing it in the Red Hat CVE database.
- Run the automated scan / audit again after the steps above are complete. If a genuine concern still exists, a support case should be created.
A note on generic security configuration recommendations by automated tools:
It should be understood that any configuration recommendations (non-CVEs) suggested by automated scanning tools are not generally recommended or encouraged by CA Technologies. While in some cases the recommendation may be desirable or may work without issue, it is important to know that many of the configurations in the appliances come "out of the box" the way they are for a reason. Any changes to the configuration of such critical components such as MySQL or the appliance file system may negatively impact the environment. In addition, QA testing is done on the "out of the box" security configurations rather than any possible customizations, so there is an inherent risk to modifying any of these components. Any changes done to meet IT security policies are considered to be done "at your own risk".