API Manager fixed issues

API Manager 7.6.2 includes all fixes for 7.5.3 Service Packs up to and including 7.5.3 SP 7. For details of all the Service Pack fixes included in 7.6.2, see the corresponding SP Readme attached to each Service Pack on Axway Support at https://support.axway.com.

Fixed security vulnerabilities

API Manager 7.6.2 fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-11491 00925293 CWE-298 Issue: API Manager email registration links did not expire.
Resolution: The email registration link is now only valid for 48 hours. An attempt to access the link after 48 hours will fail.
RDAPI-11678 00926874 CWE-319 Issue: API Manager static files such as registration-failed, request-forgotten-pw-failed, and so on, were accessible with all HTTP methods, which was reported as insecure during vulnerability testing.
Resolution: The security vulnerabilities are no longer present when the system is upgraded or newly created.
RDAPI-12407 00917113 CWE-256 Issue: API collections exported from API Manager contain plain text credentials as they were exported as a plain text file by default.
Resolution: When exporting API collections, the file is encrypted by default and you must supply a password.

API Manager 7.6.1 fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI-9120 00895727 CVE-2016-7103,
CWE-79
Issue: Security vulnerability in JQuery.
Resolution: Previously, API Gateway Manager and API Manager used JQuery 1.1.7, which is susceptible to a security vulnerability. Now, JQuery has been upgraded to JQuery 2.2.4, which is not susceptible to this security vulnerability.
RDAPI-10527 00906442 CWE-93 Issue: CRLF Injection in /api/portal/v1.3/discovery/ on the filename parameter.
Resolution: Previously, the API Manager API allowed a CRLF Injection in /api/portal/v1.3/discovery/ on the filename parameter. Now, there is no CRLF Injection allowed on the filename parameter in /api/portal/v1.3/discovery/.

API Manager 7.6.0 fixed security vulnerabilities

Internal ID Case ID CVE Identifier Description
RDAPI‑10444 00906442 CWE-209 Issue: Security vulnerability when creating an application.
Resolution: Previously, error handling exposed information if you issued a POST request with invalid data to create an application in API Manager. Now, if you attempt to create an application using invalid data, API Manager shows you the correct error message and no information is exposed.
RDAPI-10525 00906442 CWE-384 Issue: Fixed user sessions in API Manager.
Resolution: Previously in API Manager, it was possible to fix a user's session and once the user had logged in to API Manager use the predefined session to impersonate that user. Now, this is no longer possible, because API Manager regenerates the session ID for a user after the user logs in.
RDAPI-10563 00901852 CWE-913 Issue: API Manager static content files accessible without authentication.
Resolution: Previously, the static content files on API Manager web UI could be accessed without user authentication. Now, the static content on all API Manager pages except the login page is fully protected in all new API Manager configurations.
To protect non-login static content in existingAPI Manager configuration, you must run the posix/bin/update-apimanager script for each group in your topology to apply the protection configuration. It is recommended to back up your configuration before running the script.
RDAPI-10749 00906442 CWE-209 Issue: Security vulnerability when updating the advisorybanner API.
Resolution: Previously, error handling exposed information if you issued a PUT request with invalid data in the request body to the advisorybanner API. Now, if you try to update the advisorybanner using invalid data, API Manager shows you the correct error message and no information is exposed.
RDAPI-10806 CVE‑2017‑1000048 Issue: Security vulnerability in the SDK generator.
Resolution: Previously, the SDK generator in API Manager used the Node.js module qs v6.2.1 that contained a security vulnerability. Now, the Node.js version has been updated, and the security vulnerability is no longer present.
RDAPI-11424 00925709 CWE-79 Issue: Cross-site scripting (XSS) vulnerability in API Manager quota.
Resolution: Previously, APIs in API Manager that exceeded their quotas reflected the original message body back to the client, causing a reflected XSS vulnerability. Now, when the API quota is exceeded, APIs do not send the message body back to the client.
In addition, previously API Gateway was sending a HTTP 403 response code when a resource path was not found. Now, API Gateway correctly sends a HTTP 404 response code.

Other fixed issues

API Manager 7.6.2 other fixed issues

Internal ID Case ID Description
RDAPI-11801 00922991 Issue: API Version and State attributes not displayed in the APIs list on the Applications page in API Manager.
Resolution: These attributes are now displayed in the APIs list on the Application page.
RDAPI-11895 00930929 Issue: API Manager user documentation did not state that unpublished APIs are only displayed to the owner's organization, and not to other organizations.
Resolution: The documentation has been updated to clarify this.
RDAPI-11932 00927783 Issue: Korean characters (UTF-8) appearing as series of question marks (???) in API Manager registration emails.
Resolution: All UTF-8 characters are correctly rendered in the registration email, provided the mail.mime.charset system property is set to "utf-8" using a jvm.xml file.
RDAPI-12016 00895802 Issue: API Manager did not return 400 Bad Request in the HTTP response status if JSON validation failed.
Resolution: 400 Bad Request is returned in the HTTP response status if JSON validation fails.
RDAPI-12047 Issue: API Gateway less responsive when system entropy level is low.
Resolution: API Gateway now makes fewer random number generation calls for path resolving per request, and responsiveness is improved. To further improve responsiveness, your Linux system administrator should resolve the low system entropy level.
RDAPI-12064 00926473 Issue: In a multi-node deployment, after registering a WSDL to API Manager the Download WSDL link only works for the first server, and the other servers must be restarted.
Resolution: Download WSDL link works for all servers in a multi-node deployment without restarting.
RDAPI-12207 00944673 Issue: API Manager user documentation only explained how to customize password validation for the change password feature.
Resolution: The documentation now also explains how to to customize password validation for the user registration feature.
RDAPI-12214 00912805, 00911974 Issue: Some sorting and filtering options did not work correctly in API Manager.
Resolution: Issues with sorting and filtering have been fixed and you can now sort application developers and applications by organization and display all users and applications for a specific organization. Also, the link to the respective organization from the Application Developers and Applications pages now works correctly, and you can enable case-insensitive table sorting (sorting is case-sensitive by default).
RDAPI-12253 00940071 Issue: API outbound custom routing policies had to use a custom script to access authentication profiles to configure a Connection filter.
Resolution: Authentication profile configurations are enabled for the Connection filter in API outbound custom routing policies.
RDAPI-12282 00941934 Issue: Failure reimporting an API collection that included APIs that were previously cloned and modified (methods deleted).
Resolution: You can now successfully export and reimport an API collection that includes APIs that were previously cloned and modified.
RDAPI-12299 00924527 Issue: For a front-end API with an outbound authentication profile set up for SSL Client Certificate, where the certificate was malformed or corrupted, a MalformedURLException exception appeared in the API Gateway trace, but the corresponding front-end API was not listed in API Manager.
Resolution: An exception appears in the API Gateway trace, and the corresponding front-end API name, organization name, and version are now listed in API Manager.
RDAPI-12375 00950002 Issue: If an API Manager session cookie was deleted, API Manager continuously looped on the login page.
Resolution: If the session cookie is deleted, the server ensures that associated cookies are also deleted, and the user can log in successfully.
RDAPI-12399 00939103, 00948780, 00942725 Issue: Incorrect encoding of SOAP endpoint URI if the SOAP endpoint contained query parameters.
Resolution: SOAP endpoints containing query parameters are encoded correctly.
RDAPI-12400 00948674 Issue: Outbound back-end service URL not displayed correctly in API Manager.
Resolution: Outbound back-end service URL is now encoded correctly and displays correctly in API Manager.
RDAPI-12419 00934697 Issue: API method description containing special characters not displayed correctly in API Catalog.
Resolution: Special characters are displayed correctly.
RDAPI-12441 00932805 Issue: API Manager reflected the request body in the response for 4xx errors.
Resolution: API Manager no longer reflects the request body in the response.
RDAPI-12760 Issue: Back-end service URL contained a double slash if the base path ended in a single slash.
Resolution: Back-end service URL no longer shows a double slash.
RDAPI-12842 00964971, 00964501 Issue: API Manager configuration settings accidentally overwritten with default settings when the process failed to read them.
Resolution: API Manager reports an error when it fails to read configuration settings and the settings are not overridden.
RDAPI-12858 00962369, 00956154 Issue: Cannot edit front-end API per-method override if back-end API method contains multiple body parameters.
Resolution: You can now edit the front-end API per-method override for methods with multiple body parameters. However, only the first body parameter is displayed, along with a warning message.
RDAPI-12906 00954793 Issue: Logo appeared in API developer registration email after being removed from email template.
Resolution: The logo no longer appears in the email if it is removed from the template.
RDAPI-13124 00930932 Issue: Default response codes were added during import, even if they already existed, resulting in duplicate response codes.
Resolution: Default response codes are only added during import if the response code does not currently exist for the method.
RDAPI-13132 00967330 Issue: Exception when API Manager tried to process a request that contained a JSON payload when an API method body parameter was optional.
Resolution: API Manager correctly processes JSON payloads when an API method body parameter is optional.
RDAPI-13230 00967883, 00949233, 00950615 Issue: 64 bit integer path parameters were incorrectly validated as 32 bit integers and rejected.
Resolution: 64 bit integer path parameters are correctly validated and passed through to the back-end.
RDAPI-13382 00959616 Issue: API Manager crashed when deleting a remote host that was created using another instance in the group.
Resolution: Debug traces are logged when remote hosts are not found and API Manager no longer crashes.
RDAPI-13384 00971103 Issue: Downloading Swagger for different APIs with the same name resulted in the same file being downloaded (one of which was incorrect).
Resolution: The correct Swagger file is downloaded for each API.
RDAPI-13689 00915348, 00931270 Issue: 'StatusCode 0' error occurred when using Try Method in API Manager for an API-key protected front-end API where no Javascript origins were configured.
Resolution: When using Try Method for an API-key protected front-end API, you are now prompted to select an application and corresponding API key, which is validated before testing the API. If no JavaScript origin is configured, you cannot invoke the API, and the error does not occur.

API Manager 7.6.1 other fixed issues

Internal ID Case ID Description
RDAPI-10428 00901780 Issue: API key field name selector for two-way SSL inbound security in API Manager does not work.
Resolution: Previously, when virtualizing a front-end API protected by two-way SSL, the selector configured in API Manager used to obtain the API key from the client certificate was ignored by the runtime, always defaulting to ${certificate.subject.CN}.
Now, the selector entered in API Manager is correctly picked up by the runtime. The selector support has also been expanded to include the client certificate Subject Alternative Name (SAN). The supported selectors are: ${certificate.san.othername}, ${certificate.san.dns}, ${certificate.san.email}, ${certificate.san.rfc822name}, ${certificate.san.dname.CN}, and ${certificate.san.rid}.
RDAPI-11255 00919428 Issue: API Manager HTTP error codes and messages.
Resolution: Previously, the API Manager documentation did not describe the HTTP error responses. Now, the documentation includes this information.
RDAPI-11712 00930827 Issue: API Manager application image compression.
Resolution: Previously, after importing an application, API, or image in API Manager, the image became blurred. Now, after importing in API Manager, these images are no longer blurred.
RDAPI-11976 00903673 Issue: Cannot unpublish an API with pending API access in API Manager.
Resolution: Previously, in API Manager you could not unpublish an API that had pending API access against an application. Now, you can unpublish an API with pending API access against an application.
RDAPI-12019 00922245 Issue: API Manager behaves differently depending on whether a request sends an uppercase or lowercase O in the origin header.
Resolution: Previously, CORS headers were forwarded to back-end APIs by API Manager if an uppercase O was used in the origin header, and were not forwarded if a lowercase O was used. Now, API Manager always removes CORS headers and does not send them to back-end APIs regardless of the case used in the origin header.
RDAPI-12183 00908268 Issue: API Manager application image disappears after edit.
Resolution: Previously, after creating an application and adding an image, the image disappeared when you edited the application. Now, the image no longer disappears when you edit the application.

API Manager 7.6.0 other fixed issues

Internal ID Case ID Description
RDAPI‑7218 00877344 Issue: Swagger file import causes error on the next deployment.
Resolution: Previously, API Manager did not include mime type validation when you imported Swagger 2.0 files. This might result in importing invalid mime type that caused errors when the configuration was deployed to the API Manager group. Now, API Manager has mime type validation for Swagger 2.0 files to prevent importing invalid Swagger definitions.
RDAPI-7884 00882567 Issue: Problem with the back-end URL if the address location in WSDL ends with /.
Resolution: Previously, if you imported a WSDL API that contained an address location ending with / character, the base path for the API was set incorrectly. Now, the base path is set correctly even when the address ends with /.
RDAPI-8407 00885591 Issue: REQUIRED fields return HTTP 500 and no detailed error message.
Resolution: Previously in API Gateway, if you called an API that had REQUIRED fields validated by an API Manager instance that did not exist, API Gateway returned HTTP 500 Internal Server Error. Now, API Gateway correctly returns HTTP 400 Bad Request indicating that the request was incorrect.
RDAPI-8778 00889273 Issue: Incorrect Swagger documentation.
Resolution: Previously, the Swagger documentation for the API Manager REST API method DELETE did not correctly reflect the functionality of the method. Now, the Swagger documentation has been updated to better reflect the actual functionality of the DELETE method.
RDAPI-8815 00888306 Issue: Error messages from API promotion policy do not contain meaningful information.
Resolution: Previously, when you used the API promotion policy to promote APIs, you did not get a meaningful error message in API Manager if the policy failed. Now, if you include the filter Set Attribute filter in the policy, you can use the attribute errorMessage to set a meaningful error message that is displayed in API Manager if the API promotion policy fails.
RDAPI-8921 00879346 Issue: API Manager ignores the query parameter string on SOAP endpoints.
Resolution: Previously, when you imported an API web service definition into API Manager, API Manager ignored a query parameter in the soap:address location field, so the routing to the back-end URL was wrong. Now, the query parameter in the soap:address location field is retained on import, and the routing to the back-end URL remains correct.
RDAPI-8947 00895146, 00887470 Issue: No version number on an imported API.
Resolution: Previously, when you re-imported an API collection that contained versioned APIs, API Manager did not correctly reflect the versioning after the re-import. Now, the correct API version is shown after the re-import.
RDAPI-8965 00894145 Issue: Wrong error code when calling a non-existent API.
Resolution: Previously, API Gateway returned HTTP 500 Internal Server Error when calling an API that did not exist on API Manager. Now, API Gateway correctly returns HTTP 404 Not Found.
RDAPI‑10063 00894818 Issue: The setup-apimanager script ignores the --adminName option.
Resolution: Previously, you could not use the --adminName option in the setup-apimanager script to change the default user name of the API Manager administrator account when creating the account. Now, the setup-apimanager script handles the --adminName and --adminPass options correctly, and you can create the administrator user account with the credentials you want.
RDAPI-10209 00901367 Issue: Unable to use multiple values in a REST request query string parameter.
Resolution: Previously in API Manager, you could not use multiple values in the query string parameter when sending a REST request to a virtualized API, because only one value was sent to the back-end service. Now, all query string values are sent to the back-end service, so you can use multi-value query string parameters.
RDAPI-10248 00884582 Issue: Mails on new user registrations not working as expected.
Resolution: Previously, the approver mail on new users was not working as expected if both Auto-approve user registration and Delegate user management were switched off. The approver email was sent to the email address of the organization, and the approver was redirected to API Portal, or to API Manager if there was no API Portal. Now, if both Auto-approve user registration and Delegate user management are switched off, the approver email is sent to the email address of the API administrator, and the approver is redirected to API Manager. If Delegate user management is ON, the mail is sent to the email address of the organization.
RDAPI-10560 00930069, 00901347 Issue: Java exception when sending a PATCH request containing a JSON array.
Resolution: Previously, when API Manager tried to process a request that contained JSON payload with a root array element, API Manager threw a JSONException and logged an error in the trace file. Now, API Manager correctly processes JSON payloads that contain a root array element.
RDAPI-10786 00905760, 00911323 Issue: Problem publishing two APIs with the same resource path.
Resolution: Previously in API Manager, if you tried to create a front-end API duplicating a resource path already in use, API Manager displayed an error on invalid message and you could not save the front-end API. Now, you can save a front-end API with a duplicated resource path.
RDAPI-10809 00902220 Issue: API Manager Swagger files are inaccurate.
Resolution: Previously, the query parameters that specific API Manager API endpoints accepted were not documented in the Swagger files. In addition, the Client Application Registry API was documented as part of the API Manager APIs. Now, the missing query parameters have been added to the Swagger files, and the Client Application Registry API is documented in its own Swagger file.
RDAPI-10992 00915443 Issue: Swagger APIs using regular expressions in paths fail after upgrading API Manager.
Resolution: Previously, after you upgraded from API Manager 7.3.1 to v7.5.3 or later, requests to virtualized APIs were not correctly matched with the back-end API if the back-end API path contained regular expressions or multiple template variables. Now, API Manager correctly matches the requests with the back-end API.
RDAPI-11094 00908896 Issue: Application state marked optional, but is mandatory.
Resolution: Previously in API Manager 7.5.3, if you tried to update an application and did not include the state information (marked optional) in the request, the updating the application failed. Now, the state field has been updated to be optional, and you can update an application without filling the field.
RDAPI-11186 00870827 Issue: API Manager removes forward-slashes from requests.
Resolution: Previously, if you created a back-end API from a Swagger definition file that contained trailing forward-slashes (for example, because the back-end service expected them in the request), API Manager automatically trimmed the trailing forward-slashes from the requests to back-end services.
Now, you can preserve the trailing forward-slashes by setting the following system property:
<VMArg name="-Dcom.vordel.apimanager.uri.path.trailingSlash.preserve=true"/>
RDAPI-11257 00919374 Issue: Error in the Swagger documentation.
Resolution: Previously, the Swagger documentation incorrectly stated that the type of the appIds parameters for migrate/applications/export endpoints is query. Now, the Swagger documentation correctly states that the type is formData.
RDAPI-11441 00912158 Issue: Application override quota not shown in API Manager.
Resolution: Previously, if you had configured API Manager to use a multi-node Cassandra cluster and you tried to add a new quota to an application, the quota was not always created correctly. Now, the new quota is created correctly and is visible in API Manager.
RDAPI-11457 00918072 Issue: Internal server error when creating a front-end API.
Resolution: Previously, when you created a front-end API from an imported Swagger definition that did not have the host and base path set, API Manager displayed an internal server error, and the created API was only visible after a refresh. Now, there is no internal server error and the front-end API is visible in API Manager right away.
RDAPI-11495 00908256 Issue: API administrator not notified on an unreachable email address in self-registration.
Resolution: Previously, if a new user entered an unreachable email address when self-registering to API Manager or API Portal, the API administrator was not notified on the failed registration email. Now, the API administrator receives a notification if sending the registration email to the newly registered user fails.
RDAPI-11498 00918621 Issue: The POST method in API Manager REST API ignores the user type.
Resolution: Previously, when you invoked the POST method in API Manager REST API to call to /api/portal/v1.3/users/, the method ignored the user type (internal or external) you specified and set the type to internal. Now, the POST method correctly sets the user type as you specify. The default user type is internal.
RDAPI-11509 00921767 Issue: Unable to upgrade an API using API Manager REST API.
Resolution: Previously, if you tried to upgrade an API using the API Manager REST API, the code comments in the REST API to generate the API description incorrectly indicated that the back-end API ID should be used in the upgrade. Now, the code comments have been updated and correctly indicate that the front-end API ID should be used for the upgrade operation.

Related Links