Apache Tomcat Vulnerabilities


Article ID: 195625


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a CA Access Gateway (SPS) 12.8SP1 and we'd like to know
if the following vulnerabilities impact it :

  1. Tomcat Vulnerability - CVE-2020-13935 Apache Tomcat WebSocket
     Denial of Service .

  2. CVE-2020-9484 Vulnerability in Apache Tomcat.

How can we prevent those vulnerabilities ?




Policy Server 12.8SP1 on RedHat 7




At first glance, yes, 12.8 and 12.8SP1 are impacted. 12.8 CA Access
Gateway (SPS) runs Tomcat 7.0.94 :

   Third-Party Software Acknowledgments

    Tomcat 7.0.94

1. This vulnerability is about the usage of WebSocket, which the CA
   Access Gateway (SPS) doesn't support, so it is not vulnerable :

   Websocket support by Siteminder

     affects : Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36,
     8.5.0 to 8.5.56 and 7.0.27 to 7.0.104.


2. Apache provides a fix to it, which you can apply following
   documentation here to apply it :

   Fix for the CVE-2020-9484 Vulnerability in Apache Tomcat

     affects : Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1
     to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103


   As per documentation, 

     To fix the vulnerability in Release 12.8.02 or 12.8.03, we recommend
     that you apply the latest SiteMinder patch related to this
     vulnerability on Access Gateway in your environment.

   and as per the CR download site, the fix is only available to 12.8SP2
   and 12.8SP3 and already included in 12.8SP4 as 12.8SP4 runs Tomcat
   7.0.104 :

     Defects Fixed in 12.8.04

       20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
       DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
       2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
       upgraded to 7.0.104.


So, to fix the issue, update the environment to 12.8SP4.