We're running a CA Access Gateway (SPS) 12.8SP1 and we'd like to know
if the following vulnerabilities impact it :
1. Tomcat Vulnerability - CVE-2020-13935 Apache Tomcat WebSocket
Denial of Service .
2. CVE-2020-9484 Vulnerability in Apache Tomcat.
How can we prevent those vulnerabilities ?
Policy Server 12.8SP1 on RedHat 7
At first glance, yes, 12.8 and 12.8SP1 are impacted. 12.8 CA Access
Gateway (SPS) runs Tomcat 7.0.94 :
Third-Party Software Acknowledgments
1. This vulnerability is about the usage of WebSocket, which the CA
Access Gateway (SPS) doesn't support, so it is not vulnerable :
Websocket support by Siteminder
affects : Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36,
8.5.0 to 8.5.56 and 7.0.27 to 7.0.104.
2. Apache provides a fix to it, which you can apply following
documentation here to apply it :
Fix for the CVE-2020-9484 Vulnerability in Apache Tomcat
affects : Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1
to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103
As per documentation,
To fix the vulnerability in Release 12.8.02 or 12.8.03, we recommend
that you apply the latest SiteMinder patch related to this
vulnerability on Access Gateway in your environment.
and as per the CR download site, the fix is only available to 12.8SP2
and 12.8SP3 and already included in 12.8SP4 as 12.8SP4 runs Tomcat
Defects Fixed in 12.8.04
20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
upgraded to 7.0.104.
So, to fix the issue, update the environment to 12.8SP4.