search cancel

Problems with ghostcat fix

book

Article ID: 188645

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a CA Access Gateway (SPS) and after applying the

GhostCat patch, when the browser reaches / url, then the browser
receives 503 return code :

    503 Service Unavailable

      The server cannot handle the request (because it is overloaded or
      down for maintenance). Generally, this is a temporary state.[

    https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

We get this issue each time you apply GhostCAt fix :

    SS12449

    cksum ./ghostcat/proxyrt.jar
    502116040 134659 ./ghostcat/proxyrt.jar

    SS12488

    cksum ./ghostcat2/proxyrt.jar
    647660834 134616 ./ghostcat2/proxyrt.jar

as per documentation here :

    Fix CVE-2020-1938 Vulnerability in Apache Tomcat
    http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/troubleshooting/ca-access-gateway-troubleshooting.html#concept.dita_3c58f8538a3792160c8b1c07691f625691ccb958_FixCVE-2020-1938VulnerabilityinApacheTomcat

How can we fix this ?

Environment


  CA Access Gateway (SPS) 12.8SP0 on RedHat 6;

  CA Access Gateway (SPS) 12.8SP0 on Windows 2016;

Resolution


On the CA Access Gateway (SPS) machine, run the following commands

as root or Administrator :

On Linux : 

Edit /etc/sysctl.conf and add:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1


  
On Windows :

  1. Start > Run > Regedit
  2. Navigate to
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters
  3. Create a new DWORD (32 bit) named DisabledComponents
  4. Set the value to Hex: ff (To enable IPv6, enter Hex: 0)

Reboot the CA Access Gateway (SPS) machine.