We are using CA SSO Access Gateway R12.7 on Linux platform. In this version, Tomcat 7.0.77 is being used, and found the following vulnerability:
In our configuration, we have not set the readonly initialization parameter. Can be the SPS Tomcat affected? What is the default value?
This vulnerability only affect those Tomcat servers having the HTTP PUT commands enabled to allow them, as it can take advantage of this to set a specific file to be run on the server.
By default, SPS/Access Gateway Tomcat sets the readonly parameter to true, so HTTP PUT commands are not allowed as OOTB.
However, if you modified the default servlet configuration to set the readonly parameter to false, then you can be affected by this vulnerability.