Must Apache Tomcat 8.5.6 in the CA Service Management 17.2 environment be upgraded to 8.5.51 or higher to avoid the CVE-2020-1938 vulnerability?
Article ID: 186595
CA Service Desk ManagerSUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceCA Service Desk Manager - Mobile ApplicationCA Service Desk Manager - Xtraction
CA Service Management 17.0 and 17.2 are both packaged with Apache Tomcat Server version 8.5.6. This dependency is documented in the Supportability Matrix.
However version 8.5.6 of Apache Tomcat has known vulnerabilities, for example, CVE-2020-1938.
Is a later version of Apache Tomcat supported with CA Service Management 17.2?
Release : 17.2
Component : SERVICE DESK MANAGER
You may upgrade Apache Tomcat to version 8.5.51, which is the version that resolves CVE-2020-1938. However, it may not be necessary to upgrade to 8.5.51 to avoid only CVE-2020-1938.
The vulnerability named CVE-2020-1938 is fixed in Tomcat 8.5.51. However, AJP connections are not used by Service Desk Manager, xFlow, Service Point or ITAM; Service Catalog needs to have AJP Connector enabled only in load balancing scenario. Generally, though, it is advisable to keep the environment up-to-date with the current point versions of Tomcat 8.5.
The Apache Tomcat version supported by CA Service Management 17.2 in the product documentation as Tomcat 8.5.6. Additionally, point releases above 8.5.6 are supported.
The latest Tomcat 8.5 version that is available today (on 2020-03-16) is 8.5.51, which is a point release of 8.5.6 and so it is supported by CA/Broadcom support and engineering team.
There is no automated method provided in the CA Service Management product to upgrade Apache Tomcat 8.5.6 to 8.5.51. A manual procedure to upgrade Apache Tomcat is documented in the 14.1 product documentation; the procedure for 17.2 would be similar. Please see additional information below.