Problem

The following security vulnerabilities have been found in Azul JRE included with API Gateway (7.7.20230228 or earlier)

January 2023

CVE-2023-21843 - CVSS Base score: 3.7
CVE-2023-21830 - CVSS Base score: 5.3

Fixed above 2 in Azul 1.8u362 see https://docs.azul.com/prime/cve

CVE-2023-21835 - CVSS Base score: 5.3
This doesn't affect Java 1.8 according to https://docs.azul.com/prime/cve

April 2023

CVE-2023-21930 - CVSS Base score: 7.4
CVE-2023-21937 - CVSS Base score: 3.7
CVE-2023-21938 - CVSS Base score: 3.7
CVE-2023-21939 - CVSS Base score: 5.3
CVE-2023-21954 - CVSS Base score: 5.9
CVE-2023-21967 - CVSS Base score: 5.9
CVE-2023-21968 - CVSS Base score: 3.7

Fixed above 7 in Azul 1.8u371 see https://docs.azul.com/prime/cve

Resolution

API Gateway is actually not vulnerable to any of these CVEs, descriptions for all of them are stating:

This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

API Gateway is running on server side and policies executed (including scripting policies) are deployed by privileged users only.

It's noted the issues are all fixed in 1.8.0_371 (or 11.0.19+7) and API Gateway will update to a fixed JRE in an update later in 2023.