KB Article #182101
Impact of CVE-2018-25032 on API Gateway
Problem
A ZLIB related vulnerability was published on March 25th 2022 and evaluated with a CVSS v3 base score of 7.5.
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Is API Gateway (Gateway, Manager, Policy Studio) vulnerable to the exploit described in CVE-2018-25032?
Resolution
The bug was introduced in zlib 1.2.2.2, with the addition of the Z_FIXED option, and is fixed in zlib 1.2.12.
API Gateway 7.7 Feb 22 or earlier is delivered with zlib version 1.2.5. At the same time API Gateway uses a combination of parameters (memLevel hardcoded to 8 and strategy=Z_DEFLATED) that reduces the potential for exploitation of this vulnerability (makes an attack unlikely under real conditions).
While APIGW may not be vulnerable to the issue presented by zlib, the vulnerable library will continue to show up as a finding on customer scans.
The plan on Axway side is to update the zlib library to version 1.2.12 in a future update of API Gateway.
Resources
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.linuxadictos.com/en/fue-detectada-una-vulnerabilidad-en-zlib.html
https://github.com/madler/zlib/issues/605#issuecomment-1080062050