Multiple Vulnerabilities in Service Management
search cancel

Multiple Vulnerabilities in Service Management

book

Article ID: 392095

calendar_today

Updated On:

Products

CA Service Catalog CA Service Desk Manager ServiceDesk CA Service Management - Service Desk Manager CA Process Automation Base Process Automation Manager

Issue/Introduction

Are the CA Service Management products affected by the following Apache Tomcat vulnerabilities:

CA Service Desk Manager (OpenJDK Platform binary 11.0.18)
CVE-2024-56337
CVE-2025-24813
CVE-2024-52316
CVE-2024-50379

xFlow Interface
CVE-2024-56337
CVE-2024-50379

CA Service Catalog
CVE-2024-56337
CVE-2024-50379
CVE-2024-52316

Environment

Service Desk 17.4.x
Service Catalog 17.4.x
ITPAM 4.4.x
Jaspersoft 9.x

Resolution

First, ITPAM 4.4 uses Firefly as the app server instead of Apache Tomcat, so it should not be a concern.

For SDM, Catalog, and Jaspersoft:

These vulnerabilities impact Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Users are advised to upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which are patched against the flaw.

For SDM, the tech doc is the best place to go for instructions: Upgrade Tomcat and JRE (CASM Admin)

However, with 17.4 RU4, the Tomcat is shipped with Java 9.0.102 64-bit, which should address the vulnerability. 

For Jaspersoft, this KB article is the best bet:  Upgrading JasperServer's Apache Tomcat minor version

 

Additional Information

Whenever upgrading Tomcat, or doing any patching or upgrading, it's always good practice to take a backup of the affected component(s) first to 

  • preserve any configuration details that might get lost during the upgrade
  • provide for rollback in case something goes wrong

A snapshot of the image, if it is a virtual machine, provides for easy rollback, but makes it difficult to recover configuration files if all you need to do is update server.xml or something like that, so zipping or getting a copy of the entire folder in another location, if disk space allows, is a good idea, as well as image snapshot if possible.

More information about the referenced vulnerability can be found here:

CVE-2025-24813:

[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

National Vulnerability Database CVE-2025-24813 Detail

Mentioned as fixed in Apache Tomcat 11.0.3: Apache Tomcat 11.x vulnerabilities - Fixed in Apache Tomcat 11.0.3

CVE-2024-56337:

National Vulnerability Database CVE-2024-56337 Detail

Mentioned as fixed in Apache Tomcat 11.0.2: Apache Tomcat 11.x vulnerabilities - Fixed in Apache Tomcat 11.0.2

CVE-2024-52316:

National Vulnerability Database CVE-2024-52316 Detail

Mentioned as fixed in Apache Tomcat 11.0.0: Apache Tomcat 11.x vulnerabilities - Fixed in Apache Tomcat 11.0.0

CVE-2024-50379:

Mentioned as fixed in Apache Tomcat 11.0.2: Apache Tomcat 11.x vulnerabilities - Fixed in Apache Tomcat 11.0.2

National Vulnerability Database CVE-2024-50379 Detail

 

 

 

Powered by Wolken Software