ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Web Server Apache vulnerabilty

book

Article ID: 199990

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) and we'd like to know how to
prevent it from the following vulnerabilities :

   CVE-2020-9490

     A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request 

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490

   CVE-2020-11984
 
     Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
  
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
 
   CVE-2020-11993

     When trace/debug was enabled for the HTTP/2 module and on certain traffic edge pattern

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993

We noted that SPS runs Apache 2.4.43 :

  Defects Fixed in 12.8.04

    20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
    DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
    2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
    upgraded to 7.0.104.

  https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html

How can we fix this ?

 

Resolution

 

At first glance, these vulnerabilities are present when the Apache
uses mod_http2 or mod_proxy_uwsgi. Out of the box, CA Access Gateway
(SPS) 12.8 doesn't load these module as per documentation :

   Review Embedded Servers for Vulnerabilities
   https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html

As such, the CA Access Gateway (SPS) 12.8SP4 is not vulnerable to the
3 vulnerabilities mentioned.