Is Access Gateway R12.7 affected by Tomcat Vulnerability (CVE-2017-12617)?

book

Article ID: 16128

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We are using CA SSO Access Gateway R12.7 on Linux platform. In this version, Tomcat 7.0.77 is being used, and found the following vulnerability:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82

In our configuration, we have not set the readonly initialization parameter. Can be the SPS Tomcat affected? What is the default value?

Environment

Access Gateway R12.7

Resolution

This vulnerability only affect those Tomcat servers having the HTTP PUT commands enabled to allow them, as it can take advantage of this to set a specific file to be run on the server.

By default, SPS/Access Gateway Tomcat sets the readonly parameter to true, so HTTP PUT commands are not allowed as OOTB.

However, if you modified the default servlet configuration to set the readonly parameter to false, then you can be affected by this vulnerability.

Additional Information

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617