Resolution: API Gateway now includes Bouncy Castle library version 1.60 and is no longer vulnerable. Issue: API Gateway included Bouncy Castle library version 1.55 which contained vulnerabilities. Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application. Resolution: API Gateway correctly handles long URLs in memory. Issue: URL with a number of slashes causes crash in API Gateway. Resolution: The Threatening Content filter performs a case-insensitive match against the string and reports an error. Issue: On receiving a message body containing the string, the Threatening Content filter only reported an error if that string was uppercase, which incorrectly allowed XXE strings through the filter to be processed by downstream filters and policies and possibly sent on to back-end systems. If the system property is set to false, you must deselect the new option ‘Fail decrypt if One Pass and not signed’ to have the same behavior. In earlier versions, the system property pgpFailDecryptNoSignature controlled this behavior. The Decrypt with PGP filter now has a new option ‘Fail decrypt if One Pass and not signed’ to control this behavior. Resolution: The decryption fails in this case by default. Issue: API Gateway does not fail the decryption of a PGP-encrypted signed message when the Verify option is selected in the filter.
Resolution: API Gateway includes Spring framework version 4.3.18.RELEASE, which addresses known vulnerabilities. Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of vulnerabilities including CVE-2018-1199. You must configure a .onclose Java global property in the jvm.xml file with the reference to the policy called. Resolution: You can now configure the WebSocket listener with a policy to trigger when the connection is closed. Issue: Cannot limit the number of simultaneous open WebSockets for a client IP address. Resolution: API Gateway Manager UI is no longer vulnerable. Issue: API Gateway Manager UI was vulnerable to path traversal attack from unauthenticated users. Fixed security vulnerabilities Internal ID For details of all the Service Pack fixes included in 7.7, see the corresponding SP Readme attached to each Service Pack on Axway Support. API Gateway 7.7 includes all fixes for 7.5.3 and 7.6.2 Service Packs up to and including 7.5.3 SP 10 and 7.6.2 SP 2.
0 kommentar(er)
