search cancel

CA IM (IGA) CVE-2020-1938 (Ghostcat) vulnerability

book

Article ID: 188425

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

CA Broadcom Identity Manager (also known as Symantec IGA) employs Apache Tomcat in the Virtual Appliance and makes use of the Apache JServ Protocol (AJP).  This is subject to the CVE-2020-1938 (Ghostcat) vulnerability. This vulnerability is rated at 9.8 Critical Severity.  Please give this high attention.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

Environment

Release : 14.x

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

Patches and deployment instructions for the following versions of these Virtual Appliance components are available via the following locations:

14.3:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-3/virtual-appliance/configuring-virtual-appliance.html#concept.dita_e8bc3a132b722521f1368d7a3210969a821df413_ToggleAJPListener

14.2:

http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-2/release-notes/virtual-appliance-release-notes/CA-VA-Hotfixes.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-2/virtual-appliance/configuring-virtual-appliance.html#concept.dita_e051b2ab7d7bc1a0afe6e0fd556b3e338354acf3_ToggleAJPListener

14.1:

http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-portal/14-1/release-notes/ca-identity-suite-virtual-appliance-release-notes/virtual-appliance-service-packs-and-cumulative-patches-14-1/ca-identity-suite-virtual-appliance-cumulative-patches/CA-VA-Hotfixes.html

http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-portal/14-1/configuring/configuring-ca-identity-suite-virtual-appliance.html#concept.dita_b55dff851250643ec08e43938e5d6f26184a6f90_ToggleAJPListener


Additional Information


In addition, the CA Identity Manager report server solution, which is based on TIBCO JasperSoft also utilizes Apache Tomact. For more information on how to mitigate this CVE, please follow the instructions on this link:

https://community.jaspersoft.com/wiki/fixing-tomcat-cve-2020-1938-tibco-jasperreporrts-server

This is also discussed in the KB article Is CABI Jaspersoft vulnerable by CVE-2020-1938 "GhostCat" vulnerability? (https://knowledge.broadcom.com/external/article?articleId=185905)