👋 Kong Community, We’re happy to announce the release of Kong Ingress Controller (KIC) 2.9, in which we’ve taken significant steps towards solution extensibility, deployment flexibility, and lowering the cost of ownership. KIC now offers a number of features that we think you’ll be excited about: Kubernetes Gateway API Conformance gRPC Routes Enhanced Visibility Using Kubernetes Events Independent Ingress / Data Plane Scaling Gateway Discovery Learn in depth about the new features and read the full product release here. ~Kong Community Team

Layer7 OAuth 툴킷(OTK)을 사용하고 있는 고객사는 아래 내용을 확인하시어 업무에 참고 부탁드립니다. Broadcom 공지사항 전문 To: Layer7 OAuth Toolkit Customers From: Layer7 API Management team Subject: EOS for selected versions of Layer7 OAuth Toolkit Broadcom Software is continually working to improve our software and services to best meet the needs of our customers. In accordance with our Broadcom Maintenance Policy Handbook , please consider this email your written notification that we are discontinuing technical support for the following product versions, effective April 3, 2024: Layer7 OAuth Toolkit 4.5 including all 4.5.x releases (i.e. 4.5.1) This will allow our development organization to focus our efforts more effectively on and add value to the current and next releases of the Layer7 OAuth Toolkit. At this time, we encourage you to plan for the migration to the latest associated versions (currently Layer7 OAuth Toolkit 4.6.1) as soon as possible, so that you can take full advantage of the latest new features and enhancements this release has to offer. For additional information on Layer7 OAuth Toolkit, please visit the Layer7 product pages at Broadcom Support Online. As Broadcom would like to make your upgrade to a newer version of the Layer7 OAuth Toolkit as seamless and straightforward as possible, we are offering the following: Upgrade to a supported version of the Layer7 OAuth Toolkit, at no charge, as long as you have an active maintenance contract for Layer7 OAuth Toolkit. Please check the product compatibility matrixes at the product documentation page here to plan your upgrade. Upgrade assistance from qualified local Broadcom Partners. Regards, Layer7 Product Management team Copyright © 2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Layer7 OAuth 툴킷(OTK)을 사용하고 있는 고객사는 아래 내용을 확인하시어 업무에 참고 부탁드립니다. Broadcom 공지사항 전문 To: Layer7 OAuth Toolkit (OTK) Customers From: The Broadcom Layer7 Product Team Subject: General Availability Announcement for Layer7 OAuth Toolkit (OTK) 4.6.1 The Layer7 product group of Broadcom's IMS division is pleased to announce that the Layer7 OAuth Toolkit (OTK) version 4.6.1 is now available! This milestone provides additional enhancements to support Open Banking and other enhancements based on customer feedback. Congratulations to the team for reaching this important milestone while continuing to provide important enhancements to our customers! Here are the highlights of the Layer7 OTK 4.6.1 release: Financial-Grade API (FAPI) 1.0 CIBA Profile (Poll Mode) - provides support for the Client-Initiated Backchannel Authentication (CIBA) specification to allow for user authentication from an alternate device. Financial-Grade API (FAPI) 1.0 Pushed Authorization Requests (PAR) - allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides the ability for the authorization server to authenticate the client before any user interaction happens. RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol - enhances the OTK’s existing dynamic client registration support to be compliant with RFC 7591. RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol - enhances the OTK’s existing dynamic client registration support to provide additional support for fully managing client registrations as defined in RFC 7592. Helm Chart Deployment - allows for deployment of the OTK via Helm charts which are now provided via optional configuration in the Layer7 API Gateway Helm charts. Please see the release notes and product documentation for more information. You can download your copy of Layer7 OAuth Toolkit (OTK) 4.6.1 from Broadcom Support Online https://support.broadcom.com/. If you have any questions or require assistance please contact Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form: https://ca-broadcom.wolkenservicedesk.com/web-form?_ga=2.205828371.1432263889.1590607313-713014253.1588711301 . You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country. Should you need any assistance, our Broadcom Services experts can help. For more information on Broadcom Services and how you can leverage our experience, please visit https://www.broadcom.com/support/ca/services-support/ca-services. Your success is very important to us, and we look forward to continuing our successful partnership with you. To review Broadcom Support lifecycle policies, please review the Broadcom Support Policy and Terms located at: https://support.broadcom.com/. Thank you again for your business.

Layer7 API Gateway 10.1 버전을 사용하고 있는 고객사는 아래 내용을 확인하시어 업무에 참고 부탁드립니다. Broadcom 공지사항 전문 To: Layer7 API Gateway Customers From: The Broadcom Layer7 API Gateway Product Team Subject: End of Service Announcement for Layer7 API Gateway 10.1 Broadcom Software is continually working to improve our software and services to best meet the needs of our customers. In accordance with our Broadcom Maintenance Policy Handbook , please consider this email your written notification that we are discontinuing technical support for the following product versions, effective June 30th, 2024: Layer7 API Gateway 10.1 This will allow our development organization to focus our efforts more effectively on the current and next releases of the Layer7 API Gateway. At this time, we encourage you to plan for the migration to the latest associated versions (currently Layer7 API Gateway 11.0) as soon as possible, so that you can take full advantage of the latest new features and enhancements this release has to offer. For additional information on Layer7 API Gateway, please visit the Layer7 product pages at Broadcom Support Online. As Broadcom would like to make your upgrade to a newer version of the Layer7 API Gateway as seamless and straightforward as possible, we are offering the following: Upgrade to a supported version of the Layer7 API Gateway, at no charge, as long as you have an active maintenance contract for Layer7 API Gateway. Please check the product compatibility matrixes at the product documentation page here to plan your upgrade. Upgrade assistance from qualified local Broadcom Partners. If you have any questions regarding the support schedule, please contact Layer7 API Gateway Broadcom Support at Broadcom Support Online (https://support.broadcom.com/), your local Broadcom Account Manager, Customer Success Manager or Broadcom Customer Care online at https://www.broadcom.com/support/software/contact where you can submit an online request using the Customer Care web form. You can also call Broadcom Customer Care at +1-800-225-5224 in North America or see https://www.broadcom.com/support/software/contact for the local number in your country. Your success is very important to us, and we look forward to continuing our successful partnership with you.

□ 개요 o Spring 보안팀에서 Spring 프레임워크 및 Spring Cloud Function 관련 원격코드 실행 취약점을 해결한 임시조치 방안 및 보안업데이트 권고 o 공격자는 해당 취약점을 이용하여 정상 서비스에 피해를 발생시킬 수 있으므로, 최신 버전으로 업데이트 권고 ※ 참고 사이트[5]를 확인하여 해당 제품을 이용 중일 경우, 해당 제조사의 권고에 따라 패치 또는 대응 방안 적용 □ 주요 내용 o Spring Core에서 발생하는 원격코드실행 취약점(CVE-2022-22965)[1] o Spring Cloud Function에서 발생하는 원격코드실행 취약점 (CVE-2022-22963)[2] □ 영향을 받는 버전 o CVE-2022-22965(Spring4Shell) - 1) JDK 9 이상의 2) Spring 프레임워크 사용하는 경우 - Spring Framework 5.3.0 ~ 5.3.17, 5.2.0 ~ 5.2.19 및 이전 버전 ※ JDK 8 이하의 경우 취약점의 영향을 받지 않음 o CVE-2022-22963 - Spring Cloud Function 3.1.6 ~ 3.2.2 버전 ※ 취약점이 해결된 버전 제외(3.1.7, 3.2.3 업데이트 버전 제외) 참조 : https://krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=66592 □ APILUX 제품별 대응 o APILUX API Server - v2.0.3.10 버전(2022.05.01 릴리즈 예정)에서 Spring Boot 2.5.12, Spring Framework 5.3.18 로 업그레이드 적용 예정 - 패치를 통해 버전 업그레이드 지원 예정 o APILUX API Monitoring - v2.0.0.0 버전에 Spring Boot 2.5.12, Spring Framework 5.3.18 로 업그레이드 적용 완료 o APILUX Unified Portal - 현재 버전은 JDK 1.8을 기본으로 지원하고 있어 업데이트 권고 대상에 해당되지 않음 - 차후 JDK 버전 업그레이드 시 Spring Boot 2.5.12 이상, Spring Framework 5.3.18 이상으로 업그레이드 예정

최근 발생한 Spring framework에 대한 취약점과 관련하여 Layer7 Gateway 에 대한 Broadcom 사의 Notification입니다. Dear Broadcom Customer: The purpose of this Advisory is to inform you of a critical vulnerability that has been recently identified with the Spring library under vulnerability, CVE-2022-22965. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem. PRODUCT(S) AFFECTED: Layer7 API Gateway RELEASE: 10.1 PROBLEM DESCRIPTION: A flaw, in the Spring Framework library used by API Gateway, was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. These are the requirements for the specific scenario from the report: JDK 9 or higher Apache Tomcat as the Servlet container Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet. SYMPTOMS: An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. IMPACT: An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. WORKAROUND: No workaround is required at this time. PROBLEM RESOLUTION: Apr 1, 2022 - Investigation has started. As Layer7 does not use WAR packaging, the scenario mentioned does not seem to apply. But we are investigating further to check impact and resolution. Thank you, Broadcom Team.

Broadcom 1320 Ridder Park Drive San Jose, CA 95131 broadcom.com 고객 여러분, Broadcom은 Apache Log4j 유틸리티의 여러 버전에서 새로 발견된 취약점과 관련된 다층적 위험에 대해 포괄적으로 대응하고 있습니다. 당사의 IT 환경과 타사 간의 종속성부터 광범위한 엔터프라이즈 제품 포트폴리오에 이르기까지, 보안 및 엔지니어링 팀은 다양한 잠재적인 버그를 파악하고 수정하기 위해 24시간 체제로 일하고 있습니다. 조사의 진행에 따라 당사 웹사이트의 대응 페이지에서 최신 정보와 지침을 지속적으로 업데이트할 예정입니다. 우리는 또한 Joint Cyber Defense Collaborative (JCDC)의 멤버로서 이 널리 알려진 취약점을 부정 목적으로 악용하려고 시도하는 공격자에 대해 미국 국토 안보부의 사이버 인프라 안보국 (CISA) 및 다른 업계 리더와 협력하여 실용적인 분석 정보와 정보를 공유합니다. 당사의 대응 페이지에서 최신 정보와 지침을 지속적으로 확인하십시오. 앞으로도 변함없는 관심과 사용 부탁드립니다. Sincerely, Sean Oldham 최고 정보 보안 책임자 Broadcom Software

개요 - Apache 소프트웨어 재단은 자사의 Log4j 2에서 발생하는 취약점을 해결한 보안 업데이트 권고[1] - 공격자는 해당 취약점을 이용하여 악성코드 감염 등의 피해를 발생시킬 수 있으므로, 최신 버전으로 업데이트 권고 주요 내용 - Apache Log4j 2*에서 발생하는 원격코드 실행 취약점(CVE-2021-44228)[2] * 프로그램 작성 중 로그를 남기기 위해 사용되는 자바 기반의 오픈소스 유틸리티 영향을 받는 버전 - Apache Log4j 2 : 2.0-beta9 ~ 2.14.1 모든버전 - Apache Log4j 2를 사용하는 제품 해결방안[1] - 제조사 홈페이지를 통해 최신버전(2.15.0)으로 업데이트 적용[3] - 최신버전으로 업데이트가 어려운 경우 사용중인 버전 확인 후 버전 별 조치 적용 버전확인방법 1. log4j가 설치된 경로의 ”pom.xml"파일을 열어 "log4j-core"로 검색 2. 검색결과 "사용 버전(version)" 확인가능 조치방법 : 2.0-beta9 ~ 2.10.0 ※ JndiLookup 클래스를 경로에서 제거 : zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class 조치방법 : 2.10 ~ 2.14.1 ※ log4j2.formatMsgNoLookups 또는 LOG4J_FORMAT_MSG_NO_LOOKUPS 환경변수를 true로 설정 * KISA 보안 공지 참조 : https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389 크라비스 제품 현황 (사용 라이브러리) CALayer7 Gateway - 아래 링크 참조https://support.broadcom.com/external/content/security-advisories/Layer7-API-Gateway-Security-Advisory-Log4J-CVE-2021-44228/19791 KONG Enterprise - Kong은 Java를 사용하지 않아 Long4j 2 CVE-2021-44228에 대한 취약점에 대하여 영향이 없음 APILUX API Server - Logback 1.2.3 APILUX Unified Portal - Logback 1.2.3 APILUX API Monitoring - Logback 1.2.7 & log4j 1.2.17 (for Camel) ※ CRAVIS의 제품에서는 현재 보안 취약점이 발견된 log4j 2버전을 사용하지 않고 있습니다.