Impact of CVE-2023-44487 on CA Client Automation
search cancel

Impact of CVE-2023-44487 on CA Client Automation

book

Article ID: 275030

calendar_today

Updated On:

Products

CA Client Automation CA Client Automation - IT Client Manager

Issue/Introduction

HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a
novel denial of service scenario where a high volume of coordinated HTTP/2
request cancellations can quickly reset many HTTP/2 streams, exhausting server
resources and potentially causing outages.

Environment

Release 14.5 CU6

Cause

Resolution

http/2 is used in Web Admin Console and ENC components in Client Automation if SSL is enabled.

This vulnerability can be addressed by upgrading the Tomcat version to 9.0.82.

Web Admin Console (WAC) :

  1. Download the 9.0.82, 32-bit Tomcat for windows from Apache Tomcat
  2. Extract the downloaded zip file.

  3. Stop the tomcat service (in command prompt : caf stop tomcat).

  4. Take a backup of the current installed version of Tomcat in your environment before proceeding with the upgrade process:

    For example: ..\CA\SC\Tomcat\8.5.56

  5. Copy the 9.0.82 directory structure and place in "..\CA\SC\Tomcat".

  6. Rename the folder name as 5.56.

  7. Navigate to the conf folder and edit the server.xml file (..\CA\SC\Tomcat\8.5.56\conf) and comment the below property (This item might already be updated with the requested change).

  8. Existing:
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    New change:
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->


    Navigate to the directory “\CA\DSM\Web Console\conf” and take a backup of server.xml and try edit original server.xml and update under the below property:   

    Existing:
    <Connector port="8020" protocol="AJP/1.3" redirectPort="8443" />

    New change:
    <Connector port="8020" protocol="AJP/1.3" redirectPort="8443" address="0.0.0.0" secretRequired="true" secret="mysecret" />

  9. Navigate to the worker.properties file in "CA\DSM\Web Console\jakarta\worker.properties" and update/add the "worker.ajp13w.secret=mysecret" entry as shown below:
    1. worker.ajp13w.type=ajp13
    2. worker.ajp13w.host=localhost
    3. worker.ajp13w.port=8020
    4. worker.ajp13w.secret=mysecret

  10. Run the below commands from the command prompt:
    1. iisreset /stop
    2. iisreset /start
    3. caf start tomcat

  11. Now, launch the WAC (Web Admin Console).

  12. Open the catalina.20xx-xx-xx log file from “CA\DS\Web Console\logs” and observe the log you can see in the updated tomcat version (Starting Servlet engine: [Apache Tomcat/9.0.82]) entries.

ENC :

  1. CAF stop 

  2. Backup the Tomcat directory (C:\Program Files (x86)\CA\DSM\ENC\Tomcat)

  3. Placed the Tomcat 9.0.82 files and folders

  4. Copied the "encServer" folder from backup directory to the  C:\Program Files (x86)\CA\DSM\ENC\Tomcat\webapps

  5. CAF start

  6. Verified version information after upgrade ( C:\Program Files (x86)\CA\DSM\ENC\Tomcat\bin) : <versioninfo.bat> upgraded to 9.0.82

  7. caf status encserver (state: Running)

  8. Executed the following commands, but no information captured to the log file  C:\Program Files (x86)\CA\DSM\ENC\Tomcat\logs

    encutilcmd server -server
    encutilcmd server -client

    If no information are captured, the Problem could be with the port in “...\ENC\Tomcat\conf\server.xml”

    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

    The port number 8080 has to be changed to the one given at the time installation.


    And also when Tomcat is replaced, please make sure the examples application is deleted from..\Tomcat\webapps\examples in all instances of tomcat.