Siteminder Access Gateway r12.8.6 and higher bundles Apache Tomcat 9.0.x as the application server.  Tomcat versions vary by the Access Gateway release:

r12.8.6:    Apache Tomcat 9.0.52
r12.8.6a:  Apache Tomcat 9.0.58
r12.8.7:    Apache Tomcat 9.0.65
r12.8.8:    Apache Tomcat 9.0.83
r12.8.8.1  Apache Tomcat 9.0.86

r12.9 ships with Apache Tomcat 9.0.100.0

KB281190 (archived) also delivered Tomcat 9.0.86

KB381451 (archived) delivered Tomcat 9.0.96

KB383137 (archived) delivered Tomcat 9.0.97KB384944 delivered Tomcat 9.0.98

There have been a number of vulnerabilities in Tomcat 9.0.98 and older which are remediated in Tomcat 9.0.99 and higher.

Note: 

PRODUCT: Siteminder

COMPONENT: Access Gateway

VERSIONS IMPACTED: 12.8.6 - 12.8.8.1

OS: Any

CVE-2025-24813 "Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet"

SEVERITY: Important

DESCRIPTION: 

The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
attacker knowledge of the names of security sensitive files being uploaded
the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
application was using Tomcat's file based session persistence with the default storage location
application included a library that may be leveraged in a deserialization attack

VERSIONS: 9.0.0.M1 to 9.0.98

REMEDIATED: Tomcat 9.0.99 and higher

Upgrade Tomcat to 9.0.102 using the update patch attached to this KB

How to Verify The Version of Tomcat on Siteminder Access Gateway

Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.102

1) Download the Tomcat 9.0.102 patch  ['Tomcat_9.0.102.zip' (attached to this KB)]

2) Copy 'Tomcat_9.0.102.zip' to the Access Gateway Server and unzip it.

3) Stop the Access Gateway Server

4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\

cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK

5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory

cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK

6) Copy the following jar files from "Tomcat_9.0.102/lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"

annotations-api.jar
catalina.jar
catalina-ant.jar
catalina-ha.jar
catalina-ssi.jar
catalina-storeconfig.jar
catalina-tribes.jar
ecj-4.20.jar
el-api.jar
jasper.jar
jasper-el.jar
jaspic-api.jar
jsp-api.jar
servlet-api.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-coyote-ffm.jar
tomcat-dbcp.jar
tomcat-i18n-cs.jar
tomcat-i18n-de.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-i18n-ko.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ru.jar
tomcat-i18n-zh-CN.jar
tomcat-jdbc.jar
tomcat-jni.jar
tomcat-util.jar
tomcat-util-scan.jar
tomcat-websocket.jar
websocket-api.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.98 >/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/

7) Copy the following jar files from "Tomcat_9.0.102/bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"

bootstrap.jar
commons-daemon.jar
tomcat-juli.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.102 >/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/

8) Start the Access Gateway Server.

9) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK

How to Verify The Version of Tomcat on Siteminder Access Gateway

Fixed_in_Apache_Tomcat_9.0.99

Additional Vulnerabilities in Tomcat 9.0.99 and older: 

CVE-2028-24813
CVE-2024-56337
CVE-2024-54677
CVE-2024-50379
CVE-2024-52318
CVE-2024-52317
CVE-2024-52316
CVE-2024-34750
CVE-2024-38286
CVE-2024-23672
CVE-2024-24549
CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252
CVE-2022-34305
CVE-2022-29885
CVE-2021-43980
CVE-2022-23181
CVE-2021-42340
CVE-2021-33037
CVE-2021-30640
CVE-2021-30639
CVE-2021-41079
CVE-2021-25329
CVE-2021-25122