API Gateway 7.7 April 2019 fixed issues

17 minute read

API Gateway 7.7 includes all fixes for 7.5.3 and 7.6.2 Service Packs up to and including 7.5.3 SP 10 and 7.6.2 SP 2. For details of all the Service Pack fixes included in 7.7, see the corresponding SP Readme attached to each Service Pack on Axway Support.

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-12306 00949535 Issue: API Gateway Manager UI was vulnerable to path traversal attack from unauthenticated users. Resolution: API Gateway Manager UI is no longer vulnerable.
RDAPI-13768 00969445 Issue: Cannot limit the number of simultaneous open WebSockets for a client IP address. Resolution: You can now configure the WebSocket listener with a policy to trigger when the connection is closed. You must configure a com.axway.websocket.policy.onclose Java global property in the jvm.xml file with the reference to the policy called.
RDAPI-13877 00987148 CVE 2018-1199 Issue: API Gateway included Spring framework version 4.3.5.RELEASE, which has a number of vulnerabilities including CVE-2018-1199. Resolution: API Gateway includes Spring framework version 4.3.18.RELEASE, which addresses known vulnerabilities.
RDAPI-13952 00976711 Issue: API Gateway does not fail the decryption of a PGP-encrypted signed message when the Verify option is selected in the filter. Resolution: The decryption fails in this case by default. The Decrypt with PGP filter now has a new option ‘Fail decrypt if One Pass and not signed’ to control this behavior. In earlier versions, the system property pgpFailDecryptNoSignature controlled this behavior. If the system property is set to false, you must deselect the new option ‘Fail decrypt if One Pass and not signed’ to have the same behavior.
RDAPI-13959 00998337 Issue: On receiving a message body containing the string <!DOCTYPE>, the Threatening Content filter only reported an error if that string was uppercase, which incorrectly allowed XXE strings through the filter to be processed by downstream filters and policies and possibly sent on to back-end systems. Resolution: The Threatening Content filter performs a case-insensitive match against the <!DOCTYPE> string and reports an error.
RDAPI-14182 01004262 Issue: URL with a number of slashes causes crash in API Gateway. Resolution: API Gateway correctly handles long URLs in memory.
RDAPI-14190 00976396, 00933466 Issue: Submitting a token request without specifying any scope would return all application scopes and scopes of APIs that are associated with the application. Resolution: You can now select an option in API Manager settings to apply application scope restrictions, or set the JVM property <VMArg name="-Dcom.apimanager.application.oauth.restrictScopes=true"/> to return only those scopes which have been added to the application as Application Level scopes and marked as default.
RDAPI-14458 00981694 CVE-2016-1000338, CVE-2016-1000339,CVE-2016-1000340, CVE-2016-1000341,CVE-2016-1000342, CVE-2016-1000343,CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098 Issue: API Gateway included Bouncy Castle library version 1.55 which contained vulnerabilities. Resolution: API Gateway now includes Bouncy Castle library version 1.60 and is no longer vulnerable.
RDAPI-14607 00989768, 00990108, 01014125 Issue: Location header in 303 See Other response displayed absolute URIs to host specified in Host header, which could be modified and cause a security issue. Resolution: Location header now contains a relative URI by default, according to RFC 7231. To display absolute URIs in the Location header,set the com.axway.response.redirect.location.relative Java system property to false in INSTALL_DIR/apigateway/system/conf/jvm.xml.
RDAPI-14609 01009656 Issue: The API Gateway SOAP response to a message with an empty body contains a fault namespace indicating that it is an Axway API Gateway. Resolution: You can use the -Dcom.axway.soap.faultnamespace system property in jvm.xml to rename this namespace to avoid any potential security issues.
RDAPI-14662 01010153 Issue: When JWT Verify filter executed in Policy Studio, JWT token payload was visible in plain text logs at INFO trace level, causing a security risk . Resolution: JWT token payload is now redacted from tracing at all levels.
RDAPI-14695 01010245 Issue: Threatening Content filter only scanned the value of the first query string parameter with a specific name, allowing it to be bypassed using multiple parameter values of the same name. Resolution: Threatening Content filter now scans every query string parameter value regardless of name.
RDAPI-15557 01032720 Issue: API Gateway binaries are not delivered with stack protection and could be vulnerable to stack-based buffer overflow attacks. Resolution: Native code is now built with stack canaries enabled and API Gateway is no longer vulnerable.
RDAPI-15564 01037073 CVE-2019-1559,CVE-2018-0734 Issue: API Gateway included OpenSSL 1.0.2p-fips, which contained vulnerabilities. Resolution: API Gateway now includes OpenSSL 1.0.2q-fips, and is no longer vulnerable.
RDAPI-15928 01048313 CVE-2019-1559 Issue: API Gateway included OpenSSL 1.0.2p-fips, which contained vulnerabilities. Resolution: API Gateway now includes OpenSSL 1.0.2r-fips, addressing the following security vulnerabilities: CVE-2019-1559

Other fixed issues

Internal ID Case ID Description
RDAPI-13374 00949984 Issue: API Gateway OAuth Authorization Code Flow filter had limited diagnostic output in traces for troubleshooting. Resolution: The Authorization Code Flow filter produces more detailed diagnostic output in traces.
RDAPI-13850 00974976, 00982285, 00975245, 00997479 Issue: Trailing slashes not always processed correctly for inbound requests in SOAP and REST APIs. Resolution: You can set the new com.vordel.apimanager.uri.path.trailingSlash.preserve Java property to ‘true’ to allow inbound API requests with trailing slash to match API path with no trailing slash.
RDAPI-13881 00968176 Issue: When using the implicit OAuth flow, the token response did not include scopes for the token in the location header of the response, even when the scopes were different to the request, as required by the specification. Resolution: The implicit OAuth token response always contains the scopes whether they are different from the requested scopes or not.
RDAPI-13926 00996887 Issue: Traffic Monitoring UI fails to display non-HTTP transactions if the API Gateway instance did not have any HTTP traffic yet. Resolution: The absence of HTTP schema in OpsDB configuration is now correctly handled.
RDAPI-13932 00998723, 00997199 Issue: Cannot create OCSP Client, Security Token Service Client, or XACML PEP filters in Policy Studio because of a missing resource. Resolution: The filters can now be created successfully in Policy Studio.
RDAPI-13934 00983915 Issue: Visual Data Mapper fails to transform XML to JSON when XML reference types were used. Resolution: The error no longer occurs when transforming XML to JSON using XML reference types.
RDAPI-13946 Issue: HTTP Status Codes are incorrect in API Manager specific fault response. 500 error is always returned. Also SOAP error response needs to respect HTTP error code. Resolution: API Manager specific fault response now sends the correct status code, and the SOAP fault code is returned respecting the HTTP error response.
RDAPI-13956 00970289 Issue: Inconsistent data in the audit log for API access and applications in API Manager. Resolution: Inconsistencies in audit log messages for API access and application CRUD operations have been removed. Now the message field contains human readable object names, and object UUIDs are written to the metadata field. Inconsistencies in audit log messages for organizations and permissions have also been consolidated.
RDAPI-13973 00956029 Issue: When the Metrics database was changed for API Manager in Policy Studio, the change was not saved and no data was displayed in the UI anymore. Resolution: When the Metrics database is changed, the user is prompted to save the change before continuing.
RDAPI-14004 00979243 Issue: Incoming requests for URLs containing encoded extended ASCII characters could result in error when writing Traffic Monitoring records and cause memory leak. Resolution: The extended ASCII characters are no longer treated as a malformed UTF-8 string, and thememory leak no longer happens.
RDAPI-14008 00966062 Issue: When using the “Connect To URL” filter to connect to a remote host in an External Identity Provider circuit, the connections would never be released back to the connection pool once the processing was completed. Resolution: The remote host connections are released at the end of processing requests to an External Identity Provider.
RDAPI-14015 00999506 Issue: API Gateway returns 404 error for REST API methods designed to consume content types. Resolution: API Gateway REST API method content types check works as expected.
RDAPI-14017 00993963 Issue: managedomain displayed an invalid group passphrase error when Submit externally signed certificate was used. Resolution: Using Submit externally signed certificate option does not result in error anymore.
RDAPI-14022 00992660 Issue: Using the Find Certificate filter causes memory leak. Resolution: Native components are now correctly freed when an error is raised.
RDAPI-14067 00986597 Issue: You cannot create API Manager users with commas in their name. The validation failure was not being written to the trace log. Resolution: Commas are permitted in the names of API Manager users, and validation errors for new users are logged correctly.
RDAPI-14089 00983879 Issue: Cannot environmentalize open traffic event log settings in Policy Studio. Resolution: Open traffic event log settings can be environmentalized in Policy Studio directly under Server Settings > Logging > Open Traffic Event Log or by navigating to the configuration from Environment Configuration > Environment Settings.
RDAPI-14122 00978019 Issue: Duplicate claim error when adding a “sub” claim as an additional JWT claim in the OAuth client (External Connections > Client Credentials > OAuth2). Adding a “kid” claim to be included in the JWT header was not supported. Resolution: Additional JWT claims for “sub” and “kid” are fully supported and work as expected.
RDAPI-14155 00973390 Issue: Cannot environmentalize the Enable Embedded Active MQ Broker checkbox in Policy Studio under Server Settings > Embedded Active MQ configuration. Resolution: You can environmentalize both the enable Active MQ and the policy selection settings separately.
RDAPI-14163 00948031 Issue: Save button is not enabled when Input/Output Encoding in General server settings are selected for environmentalization. Resolution: The Save button is enabled once the field is selected for environmentalization.
RDAPI-14179 00969687 Issue: Importing an XSD that includes other XSDs (by <include>) under Resources > XML Schema Document Bundles > User-defined Catalog in Policy Studio fails for Data Map creation. Resolution: The XSD for Data Map creation imports correctly in Policy Studio under Resources > XML Schema Document Bundles > User-defined Catalog.
RDAPI-14223 00996951 Issue: API Gateway license error when do not have permission to access log files in /tmp directory. Resolution: API Gateway no longer generates log files in /tmp. The API Gateway event log (Log4j 2) configuration file is now in /system/conf/loggers/eventLog.xml. The API Gateway Open traffic log (Log4j 2) configuration file is now in /system/conf/loggers/openTrafficLog.xml.
RDAPI-14233 00991420 Issue: In the API Gateway access log, the time zone is not correct if daylight savings is in effect. Resolution: The time zone is always correct and includes daylight savings if applicable.
RDAPI-14242 00989086 Issue: After adding a second node manager to a group, the two node managers would have different topology versions. Resolution: When a second node manager is added, both node managers have the same topology version.
RDAPI-14295 00987083 Issue: You could not create a certificate with expiry date after 2037 in Policy Studio on Windows. Resolution: You can create a certificate with expiry date after 2037.
RDAPI-14323 00987708 Issue: Memory exception in API Gateway when sending request to ICAP server. Resolution: The issue was caused by the JSON document body object closing the connection before sending data. The issue has been resolved and the exception no longer occurs.
RDAPI-14333 Issue: Key Property Store (KPS) does not cache the identifier of a record that does not exist. This results in unnecessary database requests and poor performance. Resolution: API Gateway now caches the request to a record that does not exist, which reduces database hits and improves performance.Note: Do not enable KPS caching for internal tables. These are API Portal, API Server, or OAUTH collections.
RDAPI-14334 00976755, 00976945 Issue: API Gateway might crash or report ‘Out Of Memory’ errors due to a small memory leak in traffic monitoring. I/O streams were also not closed in case of errors. Resolution: This memory leak has been fixed, and I/O streams are always closed.
RDAPI-14387 01004665 Issue: Cannot import multiple WSDL back-end APIs with the same WSDL URL. Resolution: You can import multiple WSDL back-end APIs with the same WSDL URL.
RDAPI-14392 00969324 Issue: There was an inconsistency between long-term and short-term views in the API Gateway Analytics UI. Resolution: This inconsistency no longer occurs.
RDAPI-14402 00999252 Issue: The FTP Poller was not carrying out the correct action when the processing policy failed. Resolution: The FTP Poller now carries out the correct action.
RDAPI-14406 00980797 Issue: OAuth Clients configured using selectors failed to trace an appropriate error messageResolution: Now trace contains message “OAuth client application is not properly configured. Basic Client application properties are not set.”
RDAPI-14442 00971897 Issue: If Single Sign On (SSO) was enabled for an API Gateway with API Manager configured, the process did not terminate cleanly when startinstance -k was issued. Resolution: The SSO-enabled API Gateway with API Manager configured now shuts down cleanly.
RDAPI-14451 01005122, 01000908, 01001167 Issue: API Gateway Service Pack 8 post install script was overwriting the conf/acl.json file. Changes made by customers to this file were lost. Resolution: Post install script now only changes the affected line in the acl.json file.
RDAPI-14471 01010010 Issue: Adding a value to an API Gateway cache configured with a First-In-First-Out eviction policy incorrectly removes the value if it already exists in the cache. And if the Persist to Disk setting is selected when the cache is full, no eviction policy is executed when adding data. Resolution: The existing value is no longer removed from the cache, and is updated when required. If Persist to Disk is selected when the cache is full, the eviction policy supported by the cache persistence store is executed when adding data.
RDAPI-14505 00988159 Issue: API Gateway Manager UI is very slow when managing a large number of instances. Resolution: Performance of the API Gateway Manager UI has been improved.
RDAPI-14514 00992660 Issue: API Gateway memory consumption issue when displaying certificates, and command line “sr” prints SSL debug information when quiet mode is set. Resolution: Memory leak has been fixed, and SSL information is no longer printed in quiet mode.
RDAPI-14544 00968288 API Gateway would fail to throw an error when tokens received as an OAuth Client were malformed, and would store the token as null. Resolution: Token parsing now fails with an error message in trace.
RDAPI-14556 00988153 Issue: In OAuth Client requests if a token refresh request failed, the process would fall back to a regular token request but would fail to make the new token available to the outbound API call. Resolution: The new token is now used as expected.
RDAPI-14558 01000557 Issue: API Gateway GET requests displayed different error messages for PUT, POST, and DELETE. Resolution: API Gateway error handling now provides the same HTTP status codes for all REST API requests.
RDAPI-14651 01008734 Issue: API Gateway Create Thumbprint filter sometimes removed leading zeros due to problems with translation of byte array to string. Resolution: Create Thumbprint filter no longer removes leading zeros.
RDAPI-14663 01012632 Issue: Performance of API Gateway File Upload filter was up to 20 times faster with File Type of ASCII and Connection Type of FTP or FTPS, when compared to File Type of Binary. Resolution: File Upload filter now calls a more efficient OutputStream to improve performance when File Type is Binary and Connection Type is FTP or FTPS.
RDAPI-14691 01001297 Issue: When using an OCSP Client filter with multiple response validation options selected, the client aborted and would not execute subsequent validation if the first option failed. Resolution: The client now tries every selected validation option before aborting.
RDAPI-14703 00999170, 00998920 Issue: API Gateway sometimes showed cardinality violation exceptions in error traces. These indicated that the loaded configuration of some entities was corrupted in-memory, and no new values could be set for them, which could lead to undefined behavior. Resolution: API Gateway is no longer affected by a race condition accessing and setting the loaded entity store configuration values, and it can now update the entity store configuration values in-memory successfully.
RDAPI-14718 01013276 Issue: In API Manager, an additional incorrect forward slash (/) was appended when matching API definitions that start with path parameters. Resolution: The incorrect leading / when matching the URL to the method definition has been removed.
RDAPI-14773 01008596 Issue: Error raised when decrypting JWT tokens that were encrypted by another security provider with RSA OAEP algorithm. Resolution: The security provider has been improved to support RSA OAEP for both encryption and decryption.
RDAPI-14868 01020923 Issue: API Gateway crashed on reaching maximum connections when sending HTTPS requests through an HTTP proxy. Resolution: The connections counter has been fixed and connection attempts that exceed the maximum now fail with an error message.
RDAPI-14983 01022533 Issue: Crash could occur when redacting unbalanced XML documents. Also, HTTP redaction could generate invalid documents when parsing chunked bodies. Resolution: Unbalanced XML documents are now handled correctly and HTTP redaction has been fixed.
RDAPI-14990 01023672 Issue: In EMT mode, API Gateways were unable to register with the Admin Node Manager when its management interface was protected with the Protect Management Interfaces (LDAP) policy. Resolution: The Protect Management Interfaces (LDAP) policy has been updated to allow API Gateways to register successfully.
RDAPI-15065 00966372 Issue: Exception could be triggered when signing XML elements for which namespace prefix did not exist. Resolution: XML exception is no longer triggered when a namespace prefix is not required.
RDAPI-15071 01003624, 01003697 Issue: In some rare cases, for HTTP requests with a body, the API Gateway Send to ICAP filter duplicated the Content-Type header. Resolution: The Send to ICAP filter now ensures that content headers are not duplicated.
RDAPI-15075 00982276 Issue: Back-end API URL field validation in API Manager was inconsistent. The URL and HTTPS/Certificate validations did not behave the same way. This caused the error message to disappear on losing focus of the field. Resolution: Both URL and HTTPS/Certificate validation are now done in a consistent manner, and both errors have the same look and feel when triggered.
RDAPI-15090 01013406 Issue: API Manager did not respect trailing slash when sending request to back-end with API method exposed on “/” only and Java system property set to preserve trailing slash. Resolution: Trailing slash is now preserved when sending request to back-end with the com.vordel.apimanager.uri.path.trailingSlash.preserve Java system property set to true.
RDAPI-15102 01028015 Issue: Adding a new Policy with Set Message filter, if one attribute was missing in the statement this caused null pointer exception in JUEL, and not all attributes were displayed from Set Message filter. Resolution: Selector Coercers now handles an empty Structure and all attributes are displayed.
RDAPI-15260 01001883 Issue: Visual Mapper incorrectly created an Any tag when mapping an XSD element without a type defined. Resolution: Visual Mapper no longer creates an Any tag when mapping an XSD element without a type defined.
RDAPI-15273 01019887 Issue: API Gateway instance could crash when trying to log a trace message during shutdown. Resolution: API Gateway trace logging has been fixed.
RDAPI-15275 01029757 Issue: API Gateway crashed when writing data to a corrupt traffic monitor file. Resolution: File corruption is now detected before trying to add data to it.
RDAPI-15319 01022535 Issue: Policies misplaced on Policy Studio Policies tree when a project dependency is added with the same name as a container in the parent project. Resolution: Policies show correctly in the Policies tree now even when a project dependency has the same name as a container in the parent project.
RDAPI-15349 01007579 Issue: kpsadmin commands could sometimes reach the standard transaction timeout before completion. Resolution: kpsadmin commands now run until completion. The kpsadmin command result report now also shows the duration length (in seconds) and the final HTTP response status.
RDAPI-15378 01023734 Issue: API Gateway XSLT Transformation filter incorrectly alters some UTF-8 characters. Resolution: API Gateway XML parser has been fixed. However, the Apache Xalan transformer may still cause invalid output. You can solve this issue by configuring XML output or changing the provider (for example, to net.sf.saxon.TransformerFactoryImpl) in the filter’s Advanced settings. Note: Your system must now also be configured for UTF-8. You can do this by defining a system locale supporting UTF-8 (for example, “en_US.UTF-8”), or adding the -Dfile.encoding=UTF-8 JVM startup parameter.
RDAPI-15423 01014764 Issue: The Access Token using OAuth Client Credentials filter failed on execution if a Token Type other than Bearer was used in requests, even if the Access Token Type field was set correctly in Policy Studio. Resolution: The Access Token using the Client Credentials filter now accepts and validates a custom Access Token Type.
RDAPI-15469 01021772 Issue: The Conversation field for a Hardware Security Module (HSM) was removed from the Private Key dialog in Policy Studio v7.5.3. Resolution: Conversation field has been re-introduced to the Private Key dialog in Policy Studio 7.7.
RDAPI-15546 01039895 Issue: The Cache attribute filter failed to update a previously cached attribute with a new attribute value when using a distributed cache. Resolution: The Cache attribute filter now updates previously cached attributes with new attribute values.
RDAPI-15597 01006325 Issue: Cannot automatically regenerate certificates without regenerating domain certificates in managedomain. Resolution: New option –retain_domain_cert added to managedomain can be used with –regencerts to ignore domain certificates.
RDAPI-15935 01047627, 01039356 Issue: When using Open Traffic Event log, disabling recording of incoming transaction while enabling recording of outgoing transaction resulted in product crash. Resolution: Open Traffic Event Log has been corrected.
RDAPI-15992 01031448, 01040469 Issue: In EMT mode, the topology did not display correctly in the API Gateway Manager UI if the domainID and groupID had the same value. Resolution: Additional validation has been added to ensure that the domainID and groupID are not set to the same value.