ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Must Apache Tomcat 8.5.6 in the CA Service Management 17.2 environment be upgraded to 8.5.51 or higher to avoid the CVE-2020-1938 vulnerability?

book

Article ID: 186595

calendar_today

Updated On:

Products

CA Service Desk Manager SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Desk Manager - Mobile Application CA Service Desk Manager - Xtraction

Issue/Introduction

CA Service Management 17.0 and 17.2 are both packaged with Apache Tomcat Server version 8.5.6.  This dependency is documented in the Supportability Matrix. 

However version 8.5.6 of Apache Tomcat has known vulnerabilities, for example, CVE-2020-1938.

Is a later version of Apache Tomcat supported with CA Service Management 17.2? 

Environment

Release : 17.2

Component : SERVICE DESK MANAGER

Resolution

You may upgrade Apache Tomcat to version 8.5.51, which is the version that resolves CVE-2020-1938. However, it may not be necessary to upgrade to 8.5.51 to avoid only CVE-2020-1938.

The vulnerability named CVE-2020-1938 is fixed in Tomcat 8.5.51.  However, AJP connections are not used by Service Desk Manager, xFlow, Service Point or ITAM; Service Catalog needs to have AJP Connector enabled only in load balancing scenario.  Generally, though, it is advisable to keep the environment up-to-date with the current point versions of Tomcat 8.5.

The Apache Tomcat version supported by CA Service Management 17.2 in the product documentation as Tomcat 8.5.6. Additionally, point releases above 8.5.6 are supported.

The latest Tomcat 8.5 version that is available today (on 2020-03-16) is 8.5.51, which is a point release of 8.5.6 and so it is supported by CA/Broadcom support and engineering team.

There is no automated method provided in the CA Service Management product to upgrade Apache Tomcat 8.5.6 to 8.5.51.  A manual procedure to upgrade Apache Tomcat is documented in the 14.1 product documentation; the procedure for 17.2 would be similar.  Please see additional information below.

Additional Information


Supportability Matrix for CA Service Management 17.2
( Also see knowledge article 143911 ).

Apache Tomcat versions

CVE-2020-1938 is fixed in Apache Tomcat 8.5.51

How to upgrade Apache Tomcat 8.5.6 to 8.5.16 in CA Service Desk 14.1