Threat protection false positive in encoded data

Document ID : KB000118806
Last Modified Date : 16/11/2018
Show Technical Document Details
Introduction:
This article addresses issue using Threat Protection Assertion. More information can be found in the documentation here.

https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/threat-protection-assertions/
Question:
In API gateway the content security check (SqlAttackProtection) rejects the following request as SQL injection attempt. https://<HOSTNAME>oauth2/auth?response_type=code&scope=<scope>&client_id=<CLEINT_ID>f&state=<STATE>&redirect_uri=<Redirect_uri> The assertion is configured with all options checked. What would be a good, reasonable, setting of the assertion to let such requests in, without lowering security too much?
Environment:
CA API Gateway
Answer:
Issue was identified to be in base64 encoded state parameter.  The base64 encoded string had -- which is comment in oracle. If Invasive injection is unchecked then threat is not detected. 
Invasive threat protection prevents oracle exploits which are Oracle security vulnerabilities . To make sure  the product  is protected against security vulnerabilities , patches provided by Rhel or Centos including database patches are released in Monthly Platform Patches. Also if any new vulnerabilities are reported by customer , it is reported to development team to be worked on.
List of vulnerability fixed can be found  in cve-info txt file in patches link. It is suggested to keep the appliance updated to the latest monthly patch. Link for patch https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-api-gateway-solutions-and-patches.html