ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Upgrading Apache Tomcat to Address Vulnerabilities

book

Article ID: 187052

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Sometimes vulnerabilities are reported with 3rd Party Components such as Apache Tomcat.

It may be desirable to upgrade the version of Tomcat to avoid vulnerabilities.

Environment

Release : 14.1, 17.1, 17.2

Component : SERVICE DESK MANAGER

Resolution

Basically Service Desk Manager may be upgraded to use any Tomcat 8.5-based version, such as 8.5.16 or 8.5.51. 

There is one general upgrade procedure.  It is the same for all versions of Service Desk Manager with Tomcat.  It is documented as follows in the online product documentation for CA Service Desk Manager 14.1.

The procedure to upgrade Tomcat can be viewed here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/14-1/implementing/implementing-ca-service-management-14-1/step-4-install-or-upgrade/implementing-ca-service-desk-manager/how-to-install-ca-sdm/step-3-install-other-components/install-and-configure-apache-tomcat-8-5-16.html

Another scenario to consider is if the Tomcat configuration needs to be updated to address a vulnerability.  This doc link discusses Cross Site Scripting vulnerabilities and how to address:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/installing/installing-ca-service-management-17-3/installing-ca-service-desk-manager/securing-ca-sdm-from-cross-site-scripting-vulnerabilities.html

In one such instance, a third party security reporting tool was found to be trying to leverage one of the pdmweb.exe parameters by simulating malicious code attack.  As such, the correct response was to update the White List pattern by disallowing certain characters to be included in the parameter involved in the attack.  Limiting to only certain characters such as alphanumeric ones would effectively prevent the code attack.

Additional Information

Please test any upgrades for Tomcat in a non-prod instance before attempting in production and be sure to have a rollback plan developed for any production upgrades to Tomcat prior to any such attempt.

Please review the Supportability Matrix for any questions regarding the compatibility and supportability of any components that need to be upgraded:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Release-Information/CA-Service-Management-17_3-Release-Notes/supportability-matrix.html

It is the responsibility of the end user to work with their security team to determine the nature of the attack, and the associated actions needed to address the issue, which may include an analysis of the nature of the attack, ie if a specific parameter was involved, and how to address based on site requirements.  Support is limited in the amount of assistance it can render when examining and analyzing any third party reports.

Attachments