KB Article #179233

Is the API Gateway vulnerable to the ROBOT CVEs? (Return Of Bleichenbacher's Oracle Threat)?

Problem

Several CVEs reporting an SSL side-channel attack called ROBOT (Return Of Bleichenbacher's Oracle Threat) have been reported recently. Is the API Gateway impacted by any of them?

Resolution

No. There are a large number of CVEs going under the name ROBOT, a list of which can be found on the original researcher's website, including: CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883 and CVE-2012-5081. Among these CVEs, the only one that was ever relevant to the gateway was CVE-2012-5081. This was a Java CVE from 2012 that was addressed as far back as API Gateway 7.2.0. The ROBOT CVEs that have been disclosed are not relevant to any supported version of API Gateway.