Is Access Gateway R12.7 affected by Tomcat Vulnerability (CVE-2017-12617)?


Article ID: 16128


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We are using CA SSO Access Gateway R12.7 on Linux platform. In this version, Tomcat 7.0.77 is being used, and found the following vulnerability:

In ourĀ configuration, we have not set the readonly initialization parameter. Can be the SPS Tomcat affected? What is the default value?


Access Gateway R12.7


This vulnerability only affect those Tomcat servers having the HTTP PUT commands enabled to allow them, as it can take advantage of this to set a specific file to be run on the server.

By default, SPS/Access Gateway Tomcat sets the readonly parameter to true, so HTTP PUT commands are not allowed as OOTB.

However, if you modified the default servlet configuration to set the readonly parameter to false, then you can be affected by this vulnerability.

Additional Information