Threat protection false positive in encoded data

Document ID : KB000118806
Last Modified Date : 16/11/2018
Show Technical Document Details
This article addresses issue using Threat Protection Assertion. More information can be found in the documentation here.
In API gateway the content security check (SqlAttackProtection) rejects the following request as SQL injection attempt. https://<HOSTNAME>oauth2/auth?response_type=code&scope=<scope>&client_id=<CLEINT_ID>f&state=<STATE>&redirect_uri=<Redirect_uri> The assertion is configured with all options checked. What would be a good, reasonable, setting of the assertion to let such requests in, without lowering security too much?
CA API Gateway
Issue was identified to be in base64 encoded state parameter.  The base64 encoded string had -- which is comment in oracle. If Invasive injection is unchecked then threat is not detected. 
Invasive threat protection prevents oracle exploits which are Oracle security vulnerabilities . To make sure  the product  is protected against security vulnerabilities , patches provided by Rhel or Centos including database patches are released in Monthly Platform Patches. Also if any new vulnerabilities are reported by customer , it is reported to development team to be worked on.
List of vulnerability fixed can be found  in cve-info txt file in patches link. It is suggested to keep the appliance updated to the latest monthly patch. Link for patch