Vulnerability Scan found the following on SiteMinder CA Access Gateway (SPS):

1. Vulnerabilities (9)
   3 HTTP TRACE / TRACK Methods Enabled port 443/tcp
   QID: 12680 CVSS Base: 5.8
   Category: CGI CVSS Temporal: 5.2
   CVE ID: CVE-2004-2320, CVE-2010-0386, CVE-2003-1567
   Vendor Reference:
   
   
2. Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability port 443/tcp
   QID: 86473 CVSS Base: 5.8
   Category: Web server CVSS Temporal: 5
   CVE ID: CVE-2004-2320, CVE-2007-3008
   Vendor Reference:
   
   

CA Access Gateway (SPS) all versions

This is obviously because TRACE method was enabled/allowed on the CA Access Gateway (SPS).

When installing CA Access Gateway (SPS), an option asks to turn off the TRACE method or to keep it enabled.

In case if we decided not to turn off the TRACE method then this is an expected behavior.

 
Turn off the TRACE method manually by following the steps below (1).

Be sure to back up the existing httpd.conf before modifying it.

1. Set "TraceEnable off" in the httpd.conf file:
   
   Default:
   TraceEnable on
   
   TRACE method disabled:
   TraceEnable off
   
   
2. Ensure there is no "LoadModule proxy_module modules/mod_proxy.so" in the httpd.conf file.
   
   If such a line exists, either comment it out (use preceding #) or delete the line.
   
   
3. Restart CA Access Gateway (SPS).
   
   Now when a user makes a request using TRACE method, the user's browser will receive a HTTP 405 response.

1. HTTP Trace Method in Access Gateway