API Manager 7.7 April 2019 fixed issues

11 minute read

API Gateway 7.7 includes all fixes for 7.5.3 and 7.6.2 Service Packs up to and including 7.5.3 SP 10 and 7.6.2 SP 2. For details of all the Service Pack fixes included in 7.7, see the corresponding SP Readme attached to each Service Pack on Axway Support.

Fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-13785 00977621 Issue: Input validation in username for email template was not performed correctly. Resolution: Input validation in username for email template is now performed correctly.
RDAPI-13966 00946657, 00988077, 00965605 Issue: Since the introduction of requiring an encryption password when exporting an API or application collection, the apimanager-promote script has failed because it did not have an option to provide a decryption password or passfile. Resolution: When running the apimanager-promote script there is an option to provide a decryption password or passfile. This option is required and the script will not run without it.
RDAPI-14077 00982967 Issue: Privilege escalation vulnerability, where a user can give themselves an elevated role via a PUT request. Resolution: Validate that a user can only change roles if they have that role or a higher role. For example: an Organization Admin may give other users the Organization Admin role, however they may not give the API Manager Admin role.
RDAPI-14079 00999092, 01002567 CVE-2018-0737 CVE-2018-0732 Issue: API Gateway shipped with OpenSSL 1.0.2o-fips. Resolution: API Gateway ships with OpenSSL 1.0.2p-fips, addressing the following security vulnerabilities: CVE-2018-0732, CVE-2018-0737.
RDAPI-14133 00977062 Issue: API Manager employed an AxwayDefence-enhanced annotation to perform validation on the supplied filename which was too restrictive, preventing Swagger downloads when the filename contained among other characters, ':', '@', '*', '~'. Resolution: API Manager is more lenient and will make a best effort to normalize the filename (replacing non-matching characters with '_') so as not to throw an error when the filename contains unsupported characters.
RDAPI-14184 00983725, 01003668, 00984372 Issue: API Manager users could embed malicious code in client OAuth redirect URLs. Resolution: This security vulnerability is now fixed in API Manager.
RDAPI-14379 00993607, 00984372 Issue: The URL input field on Add Certificate page can be exploited to check for files in the server, or to map open ports in the API Gateway local network. Resolution: The URL input field is validated (it must be an HTTP URL, and only public domains are allowed). Also, the same error output is now returned in all cases when no certificate is found.
RDAPI-14427 00993605, 00984372 Issue: Security vulnerability issue in image upload feature allows not supported image format upload (for example, Flash) which can be used to initiate attacks. Resolution: Introduced validation checks for image upload to check filename and image format. Image is always processed now, which will reduce attacks where file content does not match type.
RDAPI-15053 01012736 Issue: Input for phone, mobile, email, and description was not properly validated in the API Manager User API. Resolution: Input validation for phone and mobile fields and improved email validation have been added.
RDAPI-15092 01019129 Issue: OAuth authorization code flow did not check that authorization code corresponds to client when generating authorization token. Resolution: API Gateway checks that authorization code corresponds to client requesting the authorization token and rejects token creation if it does not.
RDAPI-15150 01028183 Issue: API Manager XSS security vulnerability with old versions of Internet Explorer. Resolution: Code supporting old browsers has been removed because it contained an XSS security vulnerability. Internet Explorer versions 8.0 and 9.0 are no longer officially supported by API Gateway v7.5.x, as stated in the user documentation.
RDAPI-15569 01030134 Issue: API Manager API traffic could suffer from Timing Attack. Resolution: API Manager applies countermeasures against Timing Attack for API traffic.
RDAPI-15703 00993619, 00984372 Issue: API import feature in API Manager leaks underlying version of Java. Resolution: Set User-Agent of GET Request to VordelSecure to mask underlying Java version.

Other fixed issues

Internal ID Case ID Description
RDAPI-13787 00976057 Issue: Organization API access alerts were not triggered during POST requests to /proxies/grantaccess. Resolution: An organization API access alert is generated for every organization/API pair during POST requests to /proxies/grantaccess.
RDAPI-13931 00966823 Issue: API Gateway JMS Service threads get locked when trying to reconnect after an external JMS server outage. Resolution: JMS threads now reconnect automatically after an external JMS server outage.
RDAPI-13937 00994951, 00990926 Issue: Each API Manager instance was showing metrics for all groups in the domain, not just its own. Resolution: Each API Manager instance only shows metrics for its own group.
RDAPI-13965 00989460 Issue: API Manager did not import or show the correct response definitions or would fail to display the API method. Resolution: API Manager imports and displays them correctly.
RDAPI-13983 00961953 Issue: Deleting an API Manager front-end API in a system with many APIs and quotas took too long. This was because the application hit the database with too many unnecessary CRUD operations. Resolution: Only necessary operations are performed, and deleting a front-end API should only take a few seconds, depending on how close API Gateway is to the Apache Cassandra cluster.
RDAPI-13986 00987739 Issue: Import of a WSDL into API Manager was hanging. Resolution: The import completes successfully.
RDAPI-14005 00979478 Issue: Cannot edit a proxy associated with an API Manager method override that does not points to the default back-end API method (set at virtualization time). Resolution: The proxy associated with the method override can now be edited when persisted.
RDAPI-14024 00983348 Issue: Unexpected 403 response when sending a POST request with default profiles to /proxies to virtualize an API. Resolution: Default profiles are accepted when sending a POST request to /proxies in order to virtualize an API.
RDAPI-14045 00999445 Issue: Links sent to finish API Manager user registration process did not work when special characters were used in the email address. Resolution: Email address parameter is now encoded in the URL.
RDAPI-14071 00962018 Issue: API Manager REST API HTTP Basic Authentication fails when user password contains colon character (:). Resolution: You can now include the colon character in the password.
RDAPI-14086 00973925 Issue: apimanager-promote script does not update an application with the same name if the application ID is different. Resolution: apimanager-promote now updates an application with the same name regardless of application ID.
RDAPI-14094 00999714 Issue: In API Manager, importing WSDL from an SSL-protected endpoint with a self-signed certificate failed. Resolution: WSDL import from an SSL-protected endpoint with a self-signed certificate now succeeds.
RDAPI-14103 01000980 Issue: Content-Type of the Consumes and Produces type is missing in API Manager for PATCH methods imported from Swagger. Resolution: Content-Type of the Consumes and Produces type is displayed in API Manager.
RDAPI-14150 00977732 Issue: Using API Manager with Internet Explorer or Edge browsers to import a back-end API, you had to click the Select file button twice before it worked. Resolution: The Select file button works properly now on first click.
RDAPI-14154 00942402 Issue: When a front-end API is secured using an invoked policy that contains a Connect to URL filter, and the connection to the API fails, API Manager returns 200 or 204 HTTP status instead of 500 Internal Server Error. Resolution: API Manager now returns 500 Internal Server Error in this scenario.
RDAPI-14210 00963367 Issue: When importing applications with quota overrides that were exported using API Manager or its REST API with Export quota overrides selected, the API with quota overrides changed to undefined. Resolution: Locating APIs in quota settings during application import is now fixed. Also added error messages for scenarios such as API or method not found.
RDAPI-14227 00946314, 00961189 Issue: A front-end API is configured with OAuth or OAuth (external) Inbound Security with setting “Scopes must match” set to “All”. A request to the front-end API will fail if the request’s access token contains more scopes than is configured for the front-end API. Resolution: A request with an access token containing more scopes than is configured for the FrontEnd API will not fail.
RDAPI-14244 00949835 Issue: Problems with import of swaggers when array contains primitive types like string.Solution: Changed import to allow arrays that contain simple types.
RDAPI-14264 00980228 Issue: UI performance issues when adding or removing users from an application in API Manager when a large number of applications and users exist. Resolution: UI performance issues have been resolved.
RDAPI-14320 00985086 Issue: WSDL with more than one endpoint per binding (for example, HTTP and HTTPS) only displayed the first endpoint when imported in API Manager. Resolution: API Manager now displays all the endpoints of each imported WSDL.
RDAPI-14412 00978229 Issue: When HTTP requests failed, request paths were not recorded correctly in the transaction event log. Resolution: Request paths are always recorded correctly.
RDAPI-14453 01006639 Issue: Adding a query string to a front-end API in an outbound per-method override through and API proxy resulted in the wrong query string if the front-end API effective back-end service URL already had a query string. Resolution: The query string is correctly added.
RDAPI-14548 00983453, 00990270 Issue: When two APIs share back-end and front-end URLs, they are randomly chosen independently of their state. Resolution: Now, the API that is published will take precedence.
RDAPI-14768 01002805, 01009406 Issue: In API Manager, the update organization API method PUT /api/portal/v.1.3/organizations/{id} failed to do basic checks to prevent corrupt data, allowing broken links between KPS tables, invalid email addresses, and setting flags that were usually unavailable in the UI. Resolution: The update organization API method now enforces stronger validation, similar to the create organization API method.
RDAPI-14786 00942267, 01004780 Issue: When changing an organization name, if an application API key was previously loaded in a Try It form, API Manager displayed “The entity could not be found. Please refresh your session”. Resolution: This issue has been fixed and API Manager no longer displays this error message.
RDAPI-14870 00987150 Issue: Virtualized API with path that contained trailing unencoded whitespace was not matched by the matching filter. Resolution: Front-end REGEX validation and back-end import validation now remove the invalid whitespace and warn the user.
RDAPI-14886 01018773, 01016524 Issue: API method parameters without Data Type value in API Manager caused issues when attempting to view API definition in API Catalog. Resolution: Added validation on method import and in API Manager UI, and a default value for missing Data Type.Note: You must reimport existing APIs with this behavior to resolve missing data types with a default of ‘string’.
RDAPI-14916 01018727 Issue: A virtualized API must be published to be assigned to a virtual host. Resolution: Now, a virtualized API can be assigned to a virtual host before being published.
RDAPI-15010 01019448 Issue: When importing or updating OAuth client credentials, API Gateway checked that the redirectUrls value was a URL, and included validation against empty strings. Resolution: API Gateway now omits empty and whitespace-only values, and only checks that values are URLs and imports them when they have content.
RDAPI-15059 00995523 Issue: AWS Signing (Authorization Header) security device in API Manager did not validate the request timestamp, which did not comply with Amazon documentation. Resolution: The security device now validates the request timestamp and complies with Amazon requirements.
RDAPI-15069 01022178 Issue: When updating an image for any user, the API Manager user panel at the top right was updated to show you connected as that user, regardless of who was logged in. Resolution: The API Manager user panel is only updated when the image for the logged-in user is updated.
RDAPI-15118 01004743 Issue: When publishing an API on a virtual host in API Manager, the virtual host matching was case sensitive and resulted in an error if a different case was presented. Resolution: The virtual host matching in API Manager is now case insensitive.
RDAPI-15263 01015430, 01031170 Issue: Calls to API Manager User and Application APIs were very slow when large numbers of users and/or applications were created. Resolution: Set the com.axway.apimanager.api.data.cache system property to True to cache users and applications in memory at startup. In-memory cache is kept up-to-date using the API Manager events mechanism.
RDAPI-15296 01026334 Issue: “No Match For Request” error when Content-Type was not equal to the API method MIME type. Resolution: Use the com.coreapireg.apimethod.contenttype.legacy=true system property to disable this Content-Type check for single API method exact matching and to allow legacy API method matching. For example: <ConfigurationFragment> <VMArg name="-Dcom.coreapireg.apimethod.contenttype.legacy=true" /></ConfigurationFragment>. The default value is false.
RDAPI-15321 01028639 Issue: API Manager changed JSON formatting every time it processed JSON. Resolution: API Manager does not reformat JSON payload unless it has been modified by custom policies.
RDAPI-15389 Issue: During update and refresh operations we deactivate listeners on all of our APIs, which are listening for changes. If the list is long enough the UI might start listening for changes before the refresh operation is complete, resulting in perceived update to the APIs, and many PUT requests being sent to the back-end. Resolution: The listener handling is fully verbose now, and this race condition no longer occurs.
RDAPI-15428 01023087 Issue: Using the apimanager-promote script, if the folder containing data (api-export.dat and promotion.properties) also contained subfolders or empty files, an exception was thrown. Resolution: Subfolders and empty files are now ignored.
RDAPI-15584 01026760 Issue: Large volume of data in the description of the method of an API shifts fields Description and Method name outside of visible area. Resolution: The design of the screen is fixed now to handle large volume of data in description of the method.
RDAPI-15602 Issue: External Credentials were displayed in API Manager in a grid structure with no maximum rows or paging, which caused excessive memory use with large data sets. Resolution: The display format has been changed from a grid structure to a list with paging and filtering functionality.