Looks like the below Vulnerability is more related to Apache tomcat and not specific to any CA products. We not only have access Gateway using Tomcat, we also have MFA and Identity Portal(14.2 currently active in prod) using Tomcat servers. From what I understood about ghostcat vulnerabilities it should impact all the products that use Tomcat. Do we have separate fixes for them too? If so can you please provide the links for them.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This notice is to alert you to the availability of patches and instructions regarding the Ghostcat vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938 and https://nvd.nist.gov/vuln/detail/CVE-2020-1938). This vulnerability is rated at 9.8 Critical Severity. Please give this high attention.
SiteMinder embeds Apache Tomcat in the SiteMinder Access Gateway and the SiteMinder Agent for SharePoint and makes use of the Apache JServ Protocol (AJP). Patches and deployment instructions for the following versions of these SiteMinder components are being made available via this location
When you reach that location, search on “Ghost” and you will find a link to deployment instructions and to the patches for each of these:
· Access Gateway (previously SPS) versions 12.8.x, 12.7.x, 12.6.x · Agent for SharePoint version 12.52 SP1 (all CRs)
The method to exploit this vulnerability is not described in the CVE detail. However, in order to provide a higher level of assurance to our customers we are providing these patches.
Release : 9.1
Component : AuthMinder(Arcot WebFort), RiskMinder