CA20160405-01: Security Notice for CA API Gateway
Issued: April 05, 2016
Last Updated: April 05, 2016
CA Technologies Support is alerting customers to a Medium risk vulnerability with CA API Gateway (formerly known as Layer7 API Gateway). A vulnerability, CVE-2016-3118, exists in CA API Gateway that may allow a remote unauthenticated attacker to conduct CRLF Injection attacks in limited network configurations. CA has fixes available.
|CVE Identifier ||Risk |
|CVE-2016-3118 ||Medium |
Linux, Sun Solaris
CA API Gateway (formerly Layer7 API Gateway) 7.1, 8.0, 8.1, 8.2, 8.3, 8.4
CA API Gateway 9.0 and later
How to determine if the installation is affected
In CA API Gateway, view the Policy Manager "about" box to find the version. If the CA API Gateway version is earlier than the fix version below, the installation may be vulnerable.
|Product ||Fix Version |
|CA API Gateway 7.1 ||7.1.04 |
|CA API Gateway 8.0, 8.1, 8.2, 8.3 ||8.3.01 |
|CA API Gateway 8.4 ||8.4.01 |
|CA API Gateway 9.0 and later ||Not affected |
CA Technologies has fixes that correct this vulnerability for all affected CA API Gateway versions. Update to the fix version indicated below.
CA API Gateway 7.1:
Update to 7.1.04
CA API Gateway 8.0, 8.1, 8.2, 8.3:
Update to 8.3.01
CA API Gateway 8.4:
Update to 8.4.01
CA API Gateway 9.0 is not affected
CVE-2016-3118 - CA API Gateway CRLF Injection
CVE-2016-3118 - Patrick Webster of OSI Security
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at https://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.