When running a vulnerability scan against Advanced Authentication one may find that a Common Vulnerabilities and Exposures (CVE) namely, CVE-2023-24998 is called out. Please refer to this NIST provided document (https://nvd.nist.gov/vuln/detail/CVE-2023-24998) that details the vulnerability that can be exploited to cause a possible DoS (Denial Of Service) attack.

The issue is specifically due to AA usage of Vulnerable Apache Commons FileUpload binaries (JARs etc.) that  are of version 1.4 and below. NIST (National Institute of Standards and Technology) recommends that all web applications deployed under Application server such as Tomcat be upgraded to Apache Commons binaries (JARs etc.) that  are of version 1.5 and above.  Advanced Authentication components such as Arcot Admin Console (deployed via arcotadmin.war)  and UDS (deployed via arcotuds.war) that are deployed via Tomcat are vulnerable to CVE-2023-24998.

The complete list of affected AA components is as below:
1. arcotadmin
2. arcotuds
3. aa-restapi
4. arcotafm
5. ca-strongauth-sample-application

Release : AA 9.1.x 

Request For Information (RFI) for CVE-2023-24998 - https://nvd.nist.gov/vuln/detail/CVE-2023-24998

The AA components such as Arcot Admin Console, UDS etc. that are deployed under Tomcat are currently using Apache Commons FileUpload related binaries (JARs etc.) that  are of version 1.4  or below. Hence these AA components are vulnerable. 

The AA components such as Arcot Admin Console, UDS etc. that are deployed under Tomcat are currently using Apache Commons FileUpload related binaries (JARs etc.) that  are of version 1.4  or below are vulnerable. These web application components need to be upgraded to Apache Commons binaries (JARs etc.) that  are of version 1.5 and above.

Note the vulnerability CVE-2023-24998 fix is not dependent upon the Tomcat 10 updates, so upgrade to Tomcat 10.x.x is not required to remediate this Vulnerability.  Tomcat 9.x.x latest version (9.0.74) is sufficient to fix using the Broadcom provided fix for this Apache Commons FileUpload issue. 

Essentially, Broadcom has crafted a remediation. Kindly file a new case providing your AA version as the remediation is available for these versions listed below. Also note that at 9.1.05 (aka SP5) that will be released soon will have the fix assimilated already.

1. AA 9.1.01 (aka SP1)
2. AA 9.1.02 (aka SP2)
3. AA 9.1.03 (aka SP3)
4. AA 9.1.04 (aka SP4)

None.