This article addresses issue using Threat Protection Assertion. More information can be found in the documentation here.
In API gateway the content security check (SqlAttackProtection) rejects the following request as SQL injection attempt. https://<HOSTNAME>oauth2/auth?response_type=code&scope=<scope>&client_id=<CLEINT_ID>f&state=<STATE>&redirect_uri=<Redirect_uri> The assertion is configured with all options checked. What would be a good, reasonable, setting of the assertion to let such requests in, without lowering security too much?
Issue was identified to be in base64 encoded state parameter. The base64 encoded string had -- which is comment in oracle. If Invasive injection is unchecked then threat is not detected.
Invasive threat protection prevents oracle exploits which are Oracle security vulnerabilities . To make sure the product is protected against security vulnerabilities , patches provided by Rhel or Centos including database patches are released in Monthly Platform Patches. Also if any new vulnerabilities are reported by customer , it is reported to development team to be worked on.
List of vulnerability fixed can be found in cve-info txt file in patches link. It is suggested to keep the appliance updated to the latest monthly patch. Link for patch https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-api-gateway-solutions-and-patches.html