Problem

• CVE-2023-22006 CVSS Base score: 3.1
  Impacts Java 11.0.19, 17.0.7, 20.0.1.
• CVE-2023-22036 CVSS Base score: 3.7
  Impacts Java 11.0.19, 17.0.7, 20.0.1.
• CVE-2023-22041 CVSS Base score: 5.1
  Impacts Java 8u371, 11.0.19, 17.0.7, 20.0.1.
• CVE-2023-22043 CVSS Base score: 5.9
  Impacts Java 8u371.
• CVE-2023-22044 CVSS Base score: 3.7
  Impacts Java 8u371, 17.0.7, 20.0.1.
• CVE-2023-22045 CVSS Base score: 3.7
  Impacts Java 8u371, 11.0.19, 17.0.7, 20.0.1.
• CVE-2023-22049 CVSS Base score: 3.7
  Impacts Java 8u371, 11.0.19, 17.0.7, 20.0.1.

Resolution

The February 2023 and May 2023 releases of API Gateway ship with Java 8u352. The August 23 and Novermber 23 release of API Gateway ships with Java 11.0.19.
None of the above CVE's impact API Gateway, even if we shipped an impacted Java the descriptions for all of them are stating:

This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

API Gateway is running on server side and policies executed (including scripting policies) are deployed by privileged users only.