Vulnerabilities in tomcat 8.5.30 for CABI

book

Article ID: 224045

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

Security Team informed us about several vulnerabilities related to the tomcat version 8.5.30 used for CABI.

The affected CVEs are:-

CVE-2021-33037
CVE-2021-35517
CVE-2021-30639
CVE-2021-30640
CVE-2021-36090
CVE-2021-35516
CVE-2021-35515

The following versions are affected:
Apache Tomcat 8 all versions =<  Apache Tomcat -> 8.5.66

Cause

This information is specific to SOI - CABI 7.1.1 integration.

Not advised for use with other CABI versions or integration with other Broadcom products.

Environment

SERVICE OPERATIONS INSIGHT   4.2

CABI 7.1.1

Resolution

To mitigate these vulnerabilities, you must upgrade the tomcat version to 8.5.70. Follow these steps:

  1. Stop the 'CA Business Intelligence Tomcat' service
  2. Go to the following directory:-
    • cd /CA/SC/CA Business Intelligence/Apache-tomcat
  3. Take a backup of the Apache-tomcat folder
  4. Download the zip file from the following box location.
  5. Unzip the zip file and replace the files under the Apache-tomcat folder.
  6. Start the 'CA Business Intelligence Tomcat' service.

After replacing the files in the apache-tomcat folder, port number is changed to default.

  1. Modify the port information with older tomcat version.
  2. Change to the directory: \tomcat-8.5.70\conf\
  3. Edit the server.xml file from the directory, and update the <Connector> parameter with the following changes:

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>