Siteminder Access Gateway r12.8.5 and higher bundles Apache Tomcat 9.0.x as the application server. Tomcat versions vary by the Access Gateway release:
r12.8.5: Apache Tomcat 9.0.41
r12.8.6: Apache Tomcat 9.0.52
r12.8.6a: Apache Tomcat 9.0.58
r12.8.7: Apache Tomcat 9.0.65
r12.8.8: Apache Tomcat 9.0.83
r12.8.8 SP01: Apache Tomcat 9.0.86
KB276868 also delivers Tomcat 9.0.83
There have been a number of vulnerabilities in Tomcat 9.0.x, which are remediated in Tomcat 9.0.86. This KB delivers an upgradable version of Apache Tomcat that can be used to upgrade Siteminder Access Gateway r12.8.5 - r12.8.8. Note r12.8.8.01 (r12.8.8 SP01) is already shipped with Apache Tomcat 9.0.86.
Product: Siteminder
Component: Access Gateway
Version=12.80.0500.2546 and later
Operating system: Any
CVE-2024-23672
Description: It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption.
Impacted: Tomcat 9.0.0-M1 - 9.0.85
Remediated: 9.0.86
CVE-2024-24549
Description: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.
Impacted: Tomcat 9.0.0-M1 - 9.0.85
Remediated: 9.0.86
How to Verify The Version of Tomcat on Siteminder Access Gateway
1) Logon to the host running Siteminder Access Gateway
2) Browse to the Tomcat directory in Access Gateway
cd <Install_Dir>/CA/secure-proxy/Tomcat/lib/
3) Run the following command
java -cp catalina.jar org.apache.catalina.util.ServerInfo
4) Record the version of Tomcat Server
Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.86
1) Download the Tomcat 9.0.86 patch ['Tomcat_9.0.86.zip' (attached to this KB)]
2) Copy 'Tomcat_9.0.86 .zip' to the Access Gateway Server and unzip it.
3) Stop the Access Gateway Server
4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory
Defaults:
LINUX: <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\
cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK
5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory
cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK
6) Copy the following jar files from "Tomcat_9.0.86 /lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"
annotations-api.jar
catalina.jar
catalina-ant.jar
catalina-ha.jar
catalina-ssi.jar
catalina-storeconfig.jar
catalina-tribes.jar
ecj-4.20.jar
el-api.jar
jasper.jar
jasper-el.jar
jaspic-api.jar
jsp-api.jar
servlet-api.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-dbcp.jar
tomcat-i18n-cs.jar
tomcat-i18n-de.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-i18n-ko.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ru.jar
tomcat-i18n-zh-CN.jar
tomcat-jdbc.jar
tomcat-jni.jar
tomcat-util.jar
tomcat-util-scan.jar
tomcat-websocket.jar
websocket-api.jar
NOTE: Copy the Files from source directory to target directory. Don't copy the /bin and /lib directories themselves.
EXAMPLE:
cp -rf /<Tomcat_9.0.86 >/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/
7) Copy the following jar files from "Tomcat_9.0.86 /bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"
bootstrap.jar
commons-daemon.jar
tomcat-juli.jar
NOTE: Copy the Files from source directory to target directory. Don't copy the /bin and /lib directories themselves.
EXAMPLE:
cp -rf /<Tomcat_9.0.86 >/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/
8) Start the Access Gateway Server.
9) Once functionality has been verified, you can delete the backed up directories
/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK
Apache.org: Fixed in Apache Tomcat 9.0.86
Tomcat 9.0.86 also remediates the following CVE's:
CVE-2024-23672
CVE-2024-24549
CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252
CVE-2022-34305
CVE-2022-29885
CVE-2021-43980
CVE-2022-23181
CVE-2021-42340
CVE-2021-33037
CVE-2021-30640
CVE-2021-30639
CVE-2021-41079
CVE-2021-25329
CVE-2021-25122