search cancel

Tomcat 7.0.x for Access Gateway Vulnerabilities

book

Article ID: 215966

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Siteminder bundles Tomcat 7.0.x with the Access Gateway Server.

Access Gateway r12.8.1:  Tomcat 7.0.91

Access Gateway r12.8.2: Tomcat 7.0.91

Access Gateway r12.8.3: Tomcat 7.0.94

Access Gateway r12.8.4: Tomcat 7.0.104

Access Gateway r12.8.5: Tomcat 9.0.41 *

There have been  a number of vulnerabilities reported in various versions of Tomcat on the 7.0.x version.

Environment

Release : 12.8.01 - r12.8.4

Component : SITEMINDER - Access Gateway Server

Cause

Fixed in Tomcat 7.0.94:

-> CVE-2019-0232; CVE-2019-0221

Fixed in Tomcat 7.0.99:

-> CVE-2019-17563; CVE-2019-12418

Fixed in Tomcat 7.0.100:

-> CVE-2019-17569; CVE-2019-1935; CVE-2019-1938

Fixed in Tomcat 7.0.104:

-> CVE-2019-9484

Fixed in Tomcat 7.0.105:

-> CVE-2019-13935

Fixed in Tomcat 7.0.107

->  CVE-2019-24122

Fixed in Tomcat 7.0.108:

-> CVE-2019-25329

 

Resolution

Download:  "Tomcat-lib-7.0.109.zip".

  • This fix is for both Windows and Linux
  • This fix is for Access Gateway r12.8.1 – r12.8.4

Tomcat 7.0.109 Installation Instructions

 1) Download the "Tomcat-lib-7.0.109.zip"

 NOTE: "Tomcat-lib-7.0.109.zip" contains the following files

proxyrt.jar

annotations-api.jar

catalina.jar

catalina-ant.jar

catalina-ha.jar

catalina-tribes.jar

ecj-4.4.2.jar

el-api.jar

jasper.jar

jasper-el.jar

jsp-api.jar

servlet-api.jar

tomcat-api.jar

tomcat-coyote.jar

tomcat-dbcp.jar

tomcat-i18n-es.jar

tomcat-i18n-fr.jar

tomcat-i18n-ja.jar

tomcat-i18n-ru.jar

tomcat-jdbc.jar

tomcat-util.jar

 2) Copy the files to the Access Gateway Server

 3) Unzip "Tomcat-lib-7.0.109.zip"

 4) Stop Access Gateway

 5) Go to "<access_gateway_installation_path>/secure-proxy/Tomcat/lib"

 6) Backup the "<access_gateway_installation_path>/secure-proxy/Tomcat/lib" directory

 7) Replace the files in "<access_gateway_installation_path>/secure-proxy/Tomcat/lib" with the files from "Tomcat-lib-7.0.109.zip"

 8) Start Access Gateway

 

*** NOTICE REGARDING GOOGLE SAMESITE ***

 The Google 'Samesite' solution is not present in the attached "proxyrt.jar". 

 If you also want to implement the Siteminder solution for Google SameSite on Access Gateway, then you will also need to download that patch seperately.

 Samesite solution for Access Gateway:

 https://support.broadcom.com/external/content/release-announcements/CA-Single-Sign-On-Hotfix-Cumulative-Release-Index/6544#SMSPS2

 SSO Access Gateway r12.8 SP01 SameSite:

https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS11726&os=ANY

 SSO Access Gateway r12.8 SP02 SameSite:

https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS11725&os=ANY

 SSO Access Gateway r12.8 SP03 SameSite:

https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS11726&os=ANY

 NOTE: SameSite is delivered in Siteminder Access Gateway r12.8.4 and higher automatically.

 

Additional Information

###### REFERENCES ######

https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/service-packs.html

Attachments

Tomcat-lib-7.0.109_1622052529267.zip get_app