CVE-2020-9484 Tomcat Vulnerability

Article Id: 194379
Status: Published
Updated On: 03-07-2020 12:36
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On Agents (SiteMinder) , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER
Issue/Introduction:

 

We're running a CA Access Gateway (SPS) 12.8SP3 and we'd like to know
if this one is affected by "CVE-2020-9484 Tomcat Vulnerability" ?

 

Environment:

 

SiteMinder 12.8SP3

 

Resolution:

 

At first glance, as you mentioned, this vulnerability affects Tomcat
7.0.0 to 7.0.103 :

  CVE-2020-9484 Detail

    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1
    to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103

    [...]

  https://nvd.nist.gov/vuln/detail/CVE-2020-9484

In CA Access Gateway (SPS) 12.8SP4, the Tomcat 7 has been upgraded
already to 7.0.104 which is not affected by that vulnerability.

  Defects Fixed in 12.8.04

    20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
    DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
    2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is upgraded
    to 7.0.104.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html#concept.dita_94165a57-6b0d-4105-91d3-53d482bf212b_smsps

So the solution is to upgrade the CA Access Gateway (SPS) to 12.8SP4.

About the Web Agent Option Pack, you just have to patch the Tomcat
version you run as we don't provide the Tomcat version. It's on your
responsability.

I've checked and Web Agent Option Pack 12.52SP1CR10 64bit is supported
on Tomcat 8.5 :

  CA SiteMinder 12.52 Product Support Matrix

    | Application    | Version | Red Hat |
    | Server         |         | 64-bit  |
    |----------------+---------+---------|
    | ASF Tomcat 64- |     8.5 | 7 (SP01 |
    | bit            |         | CR08)   |

    p.25

  https://ftpdocs.broadcom.com/phpdocs/7/5262/5262_SiteMinder_12_52_SP1_Platform_Support.pdf

The same seems to apply to Advanced Authentication :

  Platform Support Matrix

    Web Application Servers
 
    | Web Application Servers         | Support Notes |
    |---------------------------------+---------------|
    | Apache Tomcat 8.0.x, 8.5.x, 9.0 | Yes           |

    CA Risk Authentication REST Web Services (Pre 9.0 Version)

    | Web Application Servers    | Support Notes |
    |----------------------------+---------------|
    | Apache Tomcat 8.0.x, 8.5.x | Yes           |
    
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-0/release-notes/platform-support-matrix.html