Document version: 02 November 2018
This Readme applies to Axway API Gateway and API Manager 7.6.2 SP1, for all platforms. The information in this Readme supersedes any corresponding information in the documentation (online or printed) previously supplied for the products.
The main aim of this service pack is to provide fixes for a number of reported defects. This service pack contains updates for:
The service pack contains new binaries only and does not overwrite the existing configuration. Service packs are cumulative and include all preceding fixes (service packs and patches) in this product version.
File packages: An installation archive is provided for all platforms (for example, APIGateway_7.6.2_SP1_Core_win-x86-32_BNYYYYMMDDn.zip
for Windows).
Size: The file size differs for each platform. The MD5 checksum is provided for each file.
Internal ID | Case ID | CVE Identifier | Description |
---|---|---|---|
RDAPI-13150 | CVE-2018-1199 | Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of non-addressed vulnerabilities.
Resolution: API Gateway now includes Spring framework version 4.3.18.RELEASE. |
|
RDAPI-13547 | 00981086 | Issue: If logged in as an organization administrator, you could access, edit, or delete the application owned by a different organization by changing the application ID in the URL.
Resolution: Now, when authenticated, you can only manage the applications which you are authorized to access. |
|
RDAPI-13597 | 00976711 | Issue: API Gateway does not fail the decryption of a PGP-encrypted signed message when the Verify option is selected in the filter.
Resolution: You can use the new - DpgpFailDecryptNoSignature=true system property to configure whether the message is decrypted in this case.
|
|
RDAPI-13728 | 00977621 | Issue: The Username field has no input validation. Also, special characters are not escaped in emails.
Resolution: The Username field validates against a whitelist of allowed characters. Special characters are correctly escaped within emails. |
|
RDAPI-13769 | 00969445 | Issue: It is not possible to trigger a policy when a WebSocket connection is closed.
Resolution: You can now configure a WebSocket listener with a policy to trigger when the connection is closed. |
|
RDAPI-13887 | 00949535 | Issue: API Gateway Manager UI allowed non logged user to access source files.
Resolution: It is not possible to access source files without a successful login. |
|
RDAPI-14076 | 00982967 | Issue: You could grant a role access to a higher level than your own using a PUT request.
Resolution: You can only grant role access to a level lower than your own. |
|
RDAPI-14078 | 00999092, 01002567 | CVE-2018-0737 CVE-2018-0732 | Issue: API Gateway shipped with OpenSSL 1.0.2o-fips, which is vulnerable to CVE-2018-0732 and CVE-2018-0737.
Resolution: API Gateway ships now with OpenSSL 1.0.2p-fips, which addresses CVE-2018-0732 and CVE-2018-0737 security vulnerabilities. |
RDAPI-14181 | 01004262 | Issue: API Gateway crashes because of string length miscalculation and memory corruption in libHTTP.so due to URL with too many slashes.
Resolution: API Gateway handling long URLs in memory has been corrected. |
|
RDAPI-14183 | 00983725, 01003668, 00984372 | Issue: API Manager users could embed malicious code in client OAuth redirect URLs.
Resolution: This security vulnerability is now fixed in API Manager. |
|
RDAPI-14189 | 00976396, 00933466 | Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application.
Resolution: Set the JVM property <VMArg name="-Dcom.apimanager.application.oauth.restrictScopes=true"/> to return only those scopes which have been added to the application as Application Level scopes and marked as default.
|
|
RDAPI-14378 | 00993607, 00984372 | Issue: The URL input field on the Add new trusted certificate dialog in API Manager can be exploited to check for the existence of files on the server, or to map open ports on local network of API Gateway.
Resolution: The URL input field is validated: it must be an HTTP URL, and only public domains are allowed. Also, the same error output is now returned in all cases when no certificate is found. |
|
RDAPI-14457 | 00981694 |
CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098 |
Issue: Bouncy Castle library 1.55 causes security vulnerabilities.
Resolution: API Gateway now ships with Bouncy Castle library version 1.60. |
RDAPI-14539 | 01011534 | CVE-2018-3183 |
Internal ID | Case ID | Description |
---|---|---|
RDAPI-12324 | 00942402 | Issue: When a front-end API is secure using an invoked policy that contains a Connect to URL filter, and the connection to the API fails, API Manager returns 200 or 204 HTTP status instead of 500 Internal Server Error.
Resolution: API Manager now returns 500 Internal Server Error in this scenario. |
RDAPI-13273 | 00976057 | Issue: Granting API access to an organization does not generate an alert during POST requests to /proxies/grantaccess endpoint.
Resolution: Any POST request to this endpoint now generates an alarm for organization API access. |
RDAPI-13280 | 00969687 | Issue: Policy Studio fails for Data Map creation when importing an XSD file, which has other XSDs included, under Resources > XML Schema Document Bundles > User-defined.
Resolution: An XSD schema, which contains other XSDs, now imports correctly for Data Map creation in Policy Studio. |
RDAPI-13287 | 00946657 | Issue: Requiring an encryption password when exporting an API or application collection fails the apimanager-promote script because it is not possible to provide a decryption password or passfile.
Resolution: apimanager-promote script now requires decryption password or passfile.
|
RDAPI-13557 | 00957205 | Issue: apimanager-promote script returns 0 even when the deployment fails.
Resolution: The script now returns 0 for success and 1 if the deployment fails. |
RDAPI-13805 | 00989086 | Issue: After adding a second node manager to a group, the two node managers would have different topology versions.
Resolution: When a second node manager is added, both node managers have the same topology version. |
RDAPI-13849 | 00974976, 00982285, 00975245 | Issue: Trailing slashes not always processed correctly for inbound requests in SOAP and REST APIs.
Resolution: You can set the new com.vordel.apimanager.uri.path.trailingSlash.preserve Java property to 'true' to allow inbound API requests with trailing slash to match API path with no trailing slash.
|
RDAPI-13871 | Issue: API Gateway Manager user and password audit events were missing information that is useful from an audit perspective.
Resolution: User events (create, delete, and update) and Password (change and reset) events now show the relevant information for an audit. |
|
RDAPI-13882 | 00968176 | Issue: Using the implicit OAuth flow, the token response did not include scopes for the token in the location header of the response, even when the scopes were different to the request, as required by the specification.
Resolution: The implicit OAuth token response always contains the scopes whether they are different from the requested scopes or not. |
RDAPI-13906 | 01005883, 00998723, 00997199 | Issue: You could not successfully create OCSP Client, Security Token Service Client, or XACML PEP filters in Policy Studio due to a missing resource.
Resolution: The filters can now be created successfully in Policy Studio. |
RDAPI-13930 | 00966823 | Issue: API Gateway JMS Service threads get locked when trying to reconnect after an external JMS server outage.
Resolution: JMS threads now reconnect automatically after an external JMS server outage. |
RDAPI-13938 | 00994951, 00990926 | Issue: Each API Manager instance was showing metrics for all groups in the domain, not just its own.
Resolution: Each API Manager instance only shows metrics for its own group. |
RDAPI-13945 | Issue: HTTP Status Codes are incorrect in API Manager specific fault response. 500 error is always returned. Also SOAP error response needs to respect HTTP error code.
Resolution: API Manager specific fault response now sends the correct status code, and the SOAP fault code is returned respecting the HTTP error response. |
|
RDAPI-13947 | Issue: For a given fault handler filter, if the Show detailed explanation of error option was selected, the custom error message set was not populated in the HTTP response, and a generic error was displayed instead.
Resolution: The custom error message is now displayed in the response if this option is selected. In addition, some improvements were made including rendering a correct SOAP version fault body based on the option set in the SOAP fault handler. |
|
RDAPI-13964 | 00989460 | Issue: API Manager did not import or show the correct response definitions, or would fail to display the API method.
Resolution: API Manager imports and displays the response definitions correctly. |
RDAPI-13974 | 00956029 | Issue: When the metrics database was changed for API Manager in Policy Studio, the change was not being saved.
Resolution: When the metrics database is changed, the user is prompted to save the change before continuing. |
RDAPI-13982 | 00961953 | Issue: Deleting an API Manager front-end API in a system with many APIs and quotas took too long because the application hit the database with many unnecessary CRUD operations.
Resolution: Only necessary operations are performed now, and deleting a front-end API should only take a few seconds, depending on how close API Gateway is to the Apache Cassandra cluster. |
RDAPI-13987 | 00987739 | Issue: Import of a WSDL into API Manager was hanging.
Resolution: The import completes successfully now. |
RDAPI-14003 | 00979243 | Issue: Incoming requests for URLs containing encoded extended ASCII characters could result in error when writing Traffic Monitoring records and cause memory leak.
Resolution: The extended ASCII characters are no longer treated as a malformed UTF-8 string, and the memory leak no longer happens. |
RDAPI-14006 | 00979478 | Issue: When a method overriding points to a back-end API or method other than the default option, set at virtualization time, the proxy associated with the method overriding, once persisted, cannot be edited anymore.
Resolution: The proxy associated with the method overriding can now be edit after being persisted in API Manager. |
RDAPI-14007 | 00966062 | Issue: When using the Connect To URL filter to connect to a remote host in an External Identity Provider circuit, the connections would never be released back to the connection pool once the processing was completed.
Resolution: The remote host connections are released at the end of processing requests to an External Identity Provider. |
RDAPI-14011 | 00999506 | Issue: When the API settings content types check is enabled with application/json , API Gateway returns error 404 for REST API methods designed to consume content types.
Resolution: The API Gateway REST API method content types check option now works as expected. |
RDAPI-14016 | 00996887 | Issue: Traffic Monitoring UI fails to display non-HTTP transactions if the API Gateway instance did not have any HTTP traffic yet. Resolution: The absence of HTTP schema in OpsDB configuration is now correctly handled. |
RDAPI-14018 | 00993963 | Issue: managedomain displayed an Invalid group passphrase error when Submit externally signed certificate was used.Resolution: Using Submit externally signed certificate option does not result in error anymore. |
RDAPI-14021 | 00992660 | Issue: Using the Find Certificate filter causes memory leak.
Resolution: Native components are now correctly freed when an error is raised. |
RDAPI-14023 | 00983348 | Issue: Unexpected 403 response when sending a POST request with default profiles to /proxies to virtualize an API.
Resolution: Default profiles are accepted when sending a POST request to /proxies in order to virtualize an API.
|
RDAPI-14043 | 00949984 | Issue: API Gateway Authorization Request filter had limited diagnostic output in traces for troubleshooting.
Resolution: API Gateway Authorization Request filter produces more diagnostic output information in traces. |
RDAPI-14068 | 00986597 | Issue: You could not create API Manager users with commas in their name. The validation failure was not being written to the trace log.
Resolution: Commas are permitted in the names of API Manager users, and validation errors for new users are logged correctly. |
RDAPI-14085 | 00973925 | Issue: apimanager-promote script does not update an application with the same name if the application ID is different.
Resolution: apimanager-promote now updates an application with the same name irrespective of application ID.
|
RDAPI-14088 | 00983879 | Issue: You could not environmentalize open traffic event log settings in Policy Studio.
Resolution: Open traffic event log settings can be environmentalized directly under Server Settings > Logging > Open Traffic Event Log or by navigating to the configuration from Environment Configuration > Environment Settings. |
RDAPI-14102 | 01000980 | Issue: Content-Type of the Consumes and Produces type is missing in API Manager for PATCH methods imported from Swagger.
Resolution: Content-Type of the Consumes and Produces type is displayed in API Manager. |
RDAPI-14121 | 00978019 | Issue: Duplicate claim error when adding a sub claim as an additional JWT claim in the OAuth client (External Connections > Client Credentials > OAuth2). Adding a kid claim to be included in the JWT header was not supported.
Resolution: Additional JWT claims for sub and kid are fully supported and work as expected.
|
RDAPI-14137 | 00977062 | Issue: Invalid file name error in API Manager when downloading the Swagger for an API if the API name contains unsupported characters (for example, ':', '@', '*', '~').
Resolution: API Manager replaces unsupported characters in the name with underscores, and the Swagger file can be downloaded as expected. |
RDAPI-14149 | 00977732 | Issue: Using API Manager with Internet Explorer or Edge browsers to import a back-end API requires to click the Select file button twice before it worked.
Resolution: The Select file button works properly now on first click. |
RDAPI-14151 | 00996951 | Issue: API Gateway license error when do not have permission to access log files in /tmp directory .
Resolution: API Gateway no longer generates log files in /tmp. The API Gateway event log (Log4j 2) configuration file is now at /system/conf/loggers/eventLog.xml . The API Gateway Open traffic log (Log4j 2) configuration file is now at /system/conf/loggers/openTrafficLog.xml .
|
RDAPI-14156 | 00973390 | Issue: You could not environmentalize the Enable Embedded Active MQ Broker checkbox in Policy Studio under Server Settings > Embedded Active MQ configuration.
Resolution: You can environmentalize both the enable Active MQ and the policy selection settings separately. |
RDAPI-14164 | 00948031 | Issue: The Save button is not enabled in Policy Studio when you select Server Settings > General > Input Encodings or Output Encodings for environmentalization.
Resolution: The Save button is enabled when you select these fields for environmentalization. |
RDAPI-14209 | 00963367 | Issue: When reimporting applications that have quota overrides exported using 8075 UI or the REST API with option Export quota overrides selected, the override quota API changed to Undefined.
Resolution: Locating API in quota settings during application import is fixed now. Also, added error messages for scenarios like method within API was not found, or API was not found. |
RDAPI-14232 | 00991420 | Issue: In the API Gateway access log, the time zone is not correct if daylight savings is in effect.
Resolution: The time zone is always correct and includes daylight savings if applicable. |
RDAPI-14289 | 00980228 | Issue: API Manager UI hangs when adding user to application.
Resolution: UI performance issue when adding or removing users from an application in API Manager is fixed now. |
RDAPI-14294 | 00987083 | Issue: You could not create a certificate with expiry date after 2037 in Policy Studio on Windows.
Resolution: You can create a certificate with expiry date after 2037. |
RDAPI-14322 | 00987708 | Issue: API Gateway crash when sending request to ICAP server.
Resolution: The JSON document body object was closing the connection before sending data. |
RDAPI-14330 | 00970289 | Issue: Inconsistent data in the audit log for API access and applications in API Manager.
Resolution: Inconsistencies in audit log messages for API access and application CRUD operations have been removed. Now the _message_ field contains human readable object names, and object UUIDs are written to the _metadata_ field. Inconsistencies in audit log messages for organizations and permissions have also been consolidated. |
RDAPI-14332 | Issue: Key Property Store (KPS) does not cache the identifier of a record that does not exist. This results in unnecessary database requests and poor performance.
Resolution: API Gateway now caches the request to a record that does not exist, which reduces database hits and improves performance. |
|
RDAPI-14336 | 00976755, 00976945 | Issue: I/O streams were not closed in case of errors during CRL processing. Also, some memory allocations related to OpenSSL function calls were not required.
Resolution: I/O streams are closed when they are no longer needed, and extra memory is not allocated when calling OpenSSL functions. |
RDAPI-14393 | 00969324 | Issue: Data inconsistency in API Gateway Analytics UI when changing views from long term to short term
Resolution: The inconsistency no longer occurs. |
RDAPI-14413 | 00978229 | Issue: When HTTP requests failed, request paths were not recorded correctly in the Transaction Event Log.
Resolution: Request paths are always recorded correctly. |
RDAPI-14449 | 01005122, 01000908, 01001167 | Issue: API Gateway Service Pack 8 post install script was overwriting the conf/acl.json file. Changes made by customers to this file were lost.
Resolution: Post install script now only changes the affected line in the acl.json file.
|
RDAPI-14454 | 01006639 | Issue: Adding a query string to a front-end API using Outbound > Advanced > Per Method Override > Edit API proxy results in the wrong query string if the front-end API back-end service URL already had a query string.
Resolution: The query string is correctly added now. |
RDAPI-14455 | 01008564 | Issue: The Cassandra Throttling settings section was missing in API Gateway documentation.
Resolution: The Cassandra Throttling settings section can be found in the API Gateway Administrator Guide. |
This service pack has the following known issues, which are planned for a future release.
Internal ID | Description |
---|---|
RDAPI-13123 | External Oauth scopes will not match if extra scopes present |
RDAPI-13433 | API Manager generates wrong top-level OAuth security requirements in Swagger |
RDAPI-13933 | Data Mapper in Policy Studio not working XML to JSON |
RDAPI-14044 | API Manager/Portal self registration fails for emails containing '+' sign |
RDAPI-14070 | apimanager-promote fails password with ":" in it
|
RDAPI-14095 | SSL handshake failing HTTPS WSDL import in API Manager |
RDAPI-14203 | Issue with qualified schema in Visual Data Mapper |
RDAPI-14225 | Stored XSS in the application's Oauth Redirect URL. Encode OAuth Redirect URLs on output |
RDAPI-14241 | Issues importing Swagger 1.2 files |
RDAPI-14321 | Improper handling of SOAP WSDL with several service ports |
RDAPI-14388 | Impossible to import same WSDL twice |
RDAPI-14403 | FTP Poller - Remote file delete in case of failure when poller is configured to "do nothing" |
RDAPI-14405 | Error with OAuth2 Application Settings using selectors |
RDAPI-14426 | Content theft using Image Upload and Flash |
RDAPI-14470 | First In First Out eviction, adding existing data remove the original instead of updated it. |
RDAPI-14472 | First In First Out eviction policy doesn't work as expected with Persist to disk option Undo |
RDAPI-14484 | Environmentalized field is missing after upgrade from 7.5.3 to 7.6.2 |
RDAPI-14543 | Missing token check with outbound OAuth client credentials flow Description |
RDAPI-14546 | ZDD API unpublish mechanism doesn't work correctly |
RDAPI-14555 | Incorrect handling with expired refresh token - outbound OAuth |
RDAPI-14557 | Inconsistent error messages between GET and POST requests in case of "no match found for request" |
These instructions apply to both API Gateway and API Manager.
For API Gateway container deployments, follow the instructions for applying a Service Pack in the API Gateway Container Deployment Guide.
This service pack has the following prerequisites in addition to those specified for the major product release version in the API Gateway Installation Guide:
INSTALL_DIR/system/lib/modules
directory.JAVA_HOME
variable is set correctly in cassandra.in.sh
and cassandra.in.bat
.If FIPS mode is enabled, you must perform the following steps to install the service pack:
togglefips --disable
to turn FIPS mode off.togglefips --enable
to turn FIPS on again.This section describes how to install the service pack on existing installations of API Gateway or API Manager.
Note:
Note: If you have API Manager installed, installing the API Gateway server service pack automatically installs the updates for API Manager.
To install the service pack on your existing API Gateway 7.6.2 server installation, perform the following steps:
INSTALL_DIR/ext/lib
and INSTALL_DIR/META-INF
directories (or the ext/lib
directory in an API Gateway instance). These patches have already been included in this service pack. You do not need to copy patches from a previous version.apigateway
directory in your existing installation directory. For example:tar -xzvf APIGateway_7.6.2_SP1_Core_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/apigateway/
apigateway
directory in your installation: INSTALL_DIR/apigateway
apigw_sp_post_install.sh
bash
command, and ensure that the correct permissions are set.Note:
ls -l INSTALL_DIR/apigateway/posix/bin
To install the service pack on your existing API Gateway Analytics 7.6.2 installation, perform the following steps:
analytics
directory in your existing API Gateway 7.6.2 installation directory. For example:tar -xzvf APIGateway_7.6.2_SP1_Analytics_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/analytics/
analytics
directory in your installation: INSTALL_DIR/analytics
apigw_analytics_sp_post_install.sh
Note:
bash
command, and ensure that the correct permissions are set.ls -l INSTALL_DIR/analytics/posix/bin
To install the service pack on your existing Policy Studio installation, perform the following steps:
INSTALL_DIR/policystudio
directory.policystudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP1_PolicyStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/policystudio/
Note: The first time you start Policy Studio, you must use policystudio -clean
.
To install the service pack on your existing Configuration Studio installation, perform the following steps:
INSTALL_DIR/configurationstudio
directory.configurationstudio
directory in your existing API Gateway 7.6.2 installation directory. For example: tar -xzvf APIGateway_7.6.2_SP1_ConfigurationStudio_linux-x86-64_BNYYYYMMDDn.tar.gz -C /opt/Axway-7.6.2/configurationstudio/
Note: The first time you start Configuration Studio, you must use configurationstudio -clean
.
The following steps apply after installing the service pack.
To allow an unprivileged user to run API Gateway on a Linux system, perform the following steps:
INSTALL_DIR/system/conf/jvm.xml
file: <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>
setcap 'cap_net_bind_service=+ep cap_sys_rawio=+ep' INSTALL_DIR/platform/bin/vshell
to allow the API Gateway to listen on privileged ports./etc/ld.so.conf.d/gateway-libs.conf
that contains the following lines:INSTALL_DIR/platform/jre/lib/amd64/server
INSTALL_DIR/platform/jre/lib/amd64
INSTALL_DIR/platform/lib/engines
INSTALL_DIR/platform/lib
INSTALL_DIR/ext/lib
ldconfig
Note: When API Manager is installed, you also must run the update_apimanager
script after the API Gateway post-install script to that ensure all paths are up-to-date.
Go to the Documentation portal at http://docs.axway.com to find all documentation for this product version.
The following reference documents are available on the Documentation portal at http://docs.axway.com:
The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com
Copyright © 2018 Axway. All rights reserved.