We're running a CA Access Gateway (SPS) 12.8SP3 and we'd like to know
if this one is affected by "CVE-2020-9484 Tomcat Vulnerability" ?
SiteMinder 12.8SP3
At first glance, as you mentioned, this vulnerability affects Tomcat
7.0.0 to 7.0.103 :
CVE-2020-9484 Detail
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1
to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103
[...]
https://nvd.nist.gov/vuln/detail/CVE-2020-9484
In CA Access Gateway (SPS) 12.8SP4, the Tomcat 7 has been upgraded
already to 7.0.104 which is not affected by that vulnerability.
Defects Fixed in 12.8.04
20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is upgraded
to 7.0.104.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html#concept.dita_94165a57-6b0d-4105-91d3-53d482bf212b_smsps
So the solution is to upgrade the CA Access Gateway (SPS) to 12.8SP4.
About the Web Agent Option Pack, you just have to patch the Tomcat
version you run as we don't provide the Tomcat version. It's on your
responsability.
I've checked and Web Agent Option Pack 12.52SP1CR10 64bit is supported
on Tomcat 8.5 :
CA SiteMinder 12.52 Product Support Matrix
| Application | Version | Red Hat |
| Server | | 64-bit |
|----------------+---------+---------|
| ASF Tomcat 64- | 8.5 | 7 (SP01 |
| bit | | CR08) |
p.25
https://ftpdocs.broadcom.com/phpdocs/7/5262/5262_SiteMinder_12_52_SP1_Platform_Support.pdf
The same seems to apply to Advanced Authentication :
Platform Support Matrix
Web Application Servers
| Web Application Servers | Support Notes |
|---------------------------------+---------------|
| Apache Tomcat 8.0.x, 8.5.x, 9.0 | Yes |
CA Risk Authentication REST Web Services (Pre 9.0 Version)
| Web Application Servers | Support Notes |
|----------------------------+---------------|
| Apache Tomcat 8.0.x, 8.5.x | Yes |
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-0/release-notes/platform-support-matrix.html