Vulnerability scan of Process Automation (ITPAM) servers reveal a 'Apache Tomcat AJP File Inclusion Vulnerability'.

CA Process Automation 4.x

When Process Automation (ITPAM) is installed, all JBOSS files are installed.

ITPAM does not need the "jbossweb.sar" folder. 

To fix the reported vulnerability issue, please follow the below steps.

1.  Locate and backup the <ITPAM installation location>\PAM\server\c2o\deploy\jbossweb.sar\server.xml file

2.  Edit the file with a text editor to comment the "AJP 1.3 Connector" tag.

For example, comment the following section

<!--Connector port="${tomcat.connector.ajp.port}" address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" redirectPort="${tomcat.secure.port}" protocol="AJP/1.3" useBodyEncodingForURI="true" maxThreads="3000" backlog="20000" connectionTimeout="120000" keepAliveTimeout="120000"/-->

3.  Save changes and recycle the ITPAM service

In future releases of CA Process Automation (ITPAM), JBOSS will be upgraded to address these types of vulnerabilities.