Apache Tomcat Vulnerabilities

book

Article ID: 195625

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) 12.8SP1 and we'd like to know
if the following vulnerabilities impact it :

  1. Tomcat Vulnerability - CVE-2020-13935 Apache Tomcat WebSocket
     Denial of Service .

  2. CVE-2020-9484 Vulnerability in Apache Tomcat.

How can we prevent those vulnerabilities ?

 

Environment

 

Policy Server 12.8SP1 on RedHat 7

 

Resolution

 

At first glance, yes, 12.8 and 12.8SP1 are impacted. 12.8 CA Access
Gateway (SPS) runs Tomcat 7.0.94 :

   Third-Party Software Acknowledgments

    Tomcat 7.0.94
   
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/third-party-software-acknowledgments.html

1. This vulnerability is about the usage of WebSocket, which the CA
   Access Gateway (SPS) doesn't support, so it is not vulnerable :

   Websocket support by Siteminder
   https://knowledge.broadcom.com/external/article?articleId=15314
   CVE-2020-13935

     affects : Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36,
     8.5.0 to 8.5.56 and 7.0.27 to 7.0.104.

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935

2. Apache provides a fix to it, which you can apply following
   documentation here to apply it :

   Fix for the CVE-2020-9484 Vulnerability in Apache Tomcat
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/troubleshooting/ca-access-gateway-troubleshooting.html
 
   CVE-2020-9484

     affects : Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1
     to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484

   As per documentation, 

     To fix the vulnerability in Release 12.8.02 or 12.8.03, we recommend
     that you apply the latest SiteMinder patch related to this
     vulnerability on Access Gateway in your environment.

   and as per the CR download site, the fix is only available to 12.8SP2
   and 12.8SP3 and already included in 12.8SP4 as 12.8SP4 runs Tomcat
   7.0.104 :

     Defects Fixed in 12.8.04

       20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
       DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
       2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
       upgraded to 7.0.104.

     https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html

So, to fix the issue, update the environment to 12.8SP4.