We're running a CA Access Gateway (SPS) and we'd like to know how to
prevent it from the following vulnerabilities :

   CVE-2020-9490

     A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request 

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490

   CVE-2020-11984
 
     Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
  
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
 
   CVE-2020-11993

     When trace/debug was enabled for the HTTP/2 module and on certain traffic edge pattern

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993

We noted that SPS runs Apache 2.4.43 :

  Defects Fixed in 12.8.04

    20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
    DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
    2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
    upgraded to 7.0.104.

  https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html

How can we fix this ?

At first glance, these vulnerabilities are present when the Apache
uses mod_http2 or mod_proxy_uwsgi. Out of the box, CA Access Gateway
(SPS) 12.8 doesn't load these module as per documentation :

   Review Embedded Servers for Vulnerabilities
   https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html

As such, the CA Access Gateway (SPS) 12.8SP4 is not vulnerable to the
3 vulnerabilities mentioned.