Tomcat 9.0.82 and Older Vulnerability on Siteminder Access Gateway
search cancel

Tomcat 9.0.82 and Older Vulnerability on Siteminder Access Gateway

book

Article ID: 276868

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Siteminder Access Gateway r12.8.5 and higher bundles Apache Tomcat 9.0.x as the application server.  Tomcat versions vary by the Access Gateway release:

r12.8.5:   Apache Tomcat 9.0.41
r12.8.6:   Apache Tomcat 9.0.52
r12.8.6a: Apache Tomcat 9.0.58
r12.8.7:   Apache Tomcat 9.0.65
r12.8.8:   Apache Tomcat 9.0.83

There have been a number of vulnerabilities in Tomcat 9.0.x, which are remediated in Tomcat 9.0.81 and higher.

Environment

Product: Symantec Siteminder

Component: Access Gateway Server

Version : 12.8.05 and higher

Operating System: Any

Cause

CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252
CVE-2022-34305
CVE-2022-29885
CVE-2021-43980
CVE-2022-23181
CVE-2021-42340
CVE-2021-33037
CVE-2021-30640
CVE-2021-30639
CVE-2021-41079
CVE-2021-25329
CVE-2021-25122

Resolution

How to Verify The Version of Tomcat on Siteminder Access Gateway

1) Logon to the host running Siteminder Access Gateway

2) Browse to the Tomcat directory in Access Gateway

cd <Install_Dir>/CA/secure-proxy/Tomcat/lib/

3) Run the following command

java -cp catalina.jar org.apache.catalina.util.ServerInfo

4) Record the version of Tomcat Server

 

Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.83

1) Download the Tomcat 9.0.83 patch  ['Tomcat_9.0.83.zip' (attached to this KB)]

2) Copy 'Tomcat_9.0.83.zip' to the Access Gateway Server and unzip it.

3) Stop the Access Gateway Server

4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\

cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK

5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory

cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK

6) Copy the following jar files from "Tomcat_9.0.83/lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"

annotations-api.jar
catalina.jar
catalina-ant.jar
catalina-ha.jar
catalina-ssi.jar
catalina-storeconfig.jar
catalina-tribes.jar
ecj-4.20.jar
el-api.jar
jasper.jar
jasper-el.jar
jaspic-api.jar
jsp-api.jar
servlet-api.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-dbcp.jar
tomcat-i18n-cs.jar
tomcat-i18n-de.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-i18n-ko.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ru.jar
tomcat-i18n-zh-CN.jar
tomcat-jdbc.jar
tomcat-jni.jar
tomcat-util.jar
tomcat-util-scan.jar
tomcat-websocket.jar
websocket-api.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.83>/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/

7) Copy the following jar files from "Tomcat_9.0.83/bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"

bootstrap.jar
commons-daemon.jar
tomcat-juli.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.83>/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/

8) Start the Access Gateway Server.

9) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK

Additional Information

https://www.cve.org/

https://cve.mitre.org/cve/search_cve_list.html

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.83

 

Attachments

Tomcat_9.0.83.zip get_app