How to Address Apache Tomcat Vulnerabilities in Client Automation 14 SP2
search cancel

How to Address Apache Tomcat Vulnerabilities in Client Automation 14 SP2

book

Article ID: 117102

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

Multiple vulnerabilities are present in the version of Apache Tomcat installed by default in ITCA 14 Sp2. What is the best way to address them?

Environment

Client Automation R14 SP2

Cause

Vulnerabilities have been found with Apache Tomcat version 8.5.6 which is used by default on this version of the product.

Resolution

Upgrading the version of Apache Tomcat used by Web Services / Web Console on the Manager system, to version 8.5.34, should effectively address all currently detected vulnerabilities.

At the time of this writing, it was possible to download 32-bit Apache Tomcat 8.5.34 for Windows via the following URL:

http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-8/v8.5.34/bin/apache-tomcat-8.5.34-windows-x86.zip

Using this zip file, it was possible to perform the following procedure*:

1. Extract the files and copy the root 'apache-tomcat-8.5.34' folder into \CA\SC\Tomcat, making sure the contents roughly match what is seen in \CA\SC\Tomcat\8.5.6\ (There may be some differences, that is OK)
2. Open an administrative command prompt and run 'CAF STOP TOMCAT'
3. When complete, rename the folder \8.5.6\ to \8.5.OLD6\
4. Rename the new folder from 'apache-tomcat-8.5.34' to \8.5.6\
5. Run 'CAF START TOMCAT'
6. Wait 3-5 minutes for full initialization of services.
7. Test.

It was possible to do all of the following successfully:

1. Log on to Web Admin Console
2. Connect to Patch Manager Portion and browse all items
3. Change the status of a patch
4. Change configuration values of several items and confirm they saved successfully.
5. Browse to a computer in WAC
6. Drill into each tab to view Summary page, inventory, patches, installation history etc
7. View Health Monitoring Section of the WAC

Additional Information

*NOTE: This is an INFORMAL a.k.a. NON-CERTIFIED procedure, tested by support and could conceivably lead to unexpected issues; therefor this procedure should be considered 'use at your own risk'. That being said, the actual risk of this upgrade should be minimal as this is an incremental update and not a major version update to Apache.

*NOTE: There has been no testing like this involving the replacement of Apache Tomcat used by Extended Network Connectivity (ENC). If you are a user of ENC and have Tomcat version/Vulnerability concerns, a support ticket should be opened to investigate your options.

As all basic tests of Web Services / Web Admin Console functions were successful, this procedure should be acceptable to carry out for most users.

Powered by Wolken Software