We're running a CA Access Gateway (SPS) and we'd like to know how to
prevent it from the following vulnerabilities :
CVE-2020-9490
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490
CVE-2020-11984
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
CVE-2020-11993
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge pattern
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993
We noted that SPS runs Apache 2.4.43 :
Defects Fixed in 12.8.04
20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is
upgraded to 7.0.104.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html
How can we fix this ?
At first glance, these vulnerabilities are present when the Apache
uses mod_http2 or mod_proxy_uwsgi. Out of the box, CA Access Gateway
(SPS) 12.8 doesn't load these module as per documentation :
Review Embedded Servers for Vulnerabilities
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html
As such, the CA Access Gateway (SPS) 12.8SP4 is not vulnerable to the
3 vulnerabilities mentioned.