A fix is available
APAR status
Closed as program error.
Error description
When invoking an API requiring a client secret which has the activity log set to either header or payload, the API Gateway is sending this information to the Analytics subsystem instead of redacting it.
Local fix
N/A
Problem summary
A number of security vulnerabilities have been identified in a security scan which included the token endpoint of an API Connect OAuth Provider. The issues called out include: Strict Transport Security not enforced (medium) - response does not include a Strict-Transport-Security header.
Problem conclusion
Fixed in 2018.4.1.16, 10.0.1.3, 10.0.2.0
Temporary fix
Comments
APAR Information
APAR number
IT35248
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
18X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-12-11
Closed date
2021-03-30
Last modified date
2021-07-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R770 PSY
UP
RA0X PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18X"}]
Document Information
Modified date:
29 August 2021