KB Article #177924
API Gateway & CVE-2016-2108: Memory corruption in the OpenSSL ASN.1 encoder
Problem
* The OpenSSL Security Advisory [3rd May 2016] disclosed CVE-2016-2108: Memory corruption in the OpenSSL ASN.1 encoder. which is a high-impact security issue.
Resolution
-- This bug was fixed by OpenSSL several months ago, but the security impact of it wasn't realized until recently. Accordingly, the most recent API Gateway versions already contain fixes for this CVE by virtue of including OpenSSL 1.0.1s. The following versions all contain OpenSSL 1.0.1s, which is not affected by CVE-2016-2108:
- 7.2.0 SP4 / 7.2.4 + OpenSSL 1.0.1s Patch
- 7.3.0 SP4 + OpenSSL 1.0.1s Patch
- 7.3.1 SP4 + OpenSSL 1.0.1s Patch
- 7.4.0 SP3 + OpenSSL 1.0.1s Patch
- 7.4.1 SP2
Concerned customers should upgrade to the latest SP for their branch. New SPs are cumulative and will contain previously-released patches.