Log4j, remote code execution, and Password Form-based vulnerabilities in CA Access Gateway (SPS)
Article ID: 393724
Updated On: 04-09-2025
Products
Issue/Introduction
Running Apache, the following vulnerabilities have been found:
AutoComplete Attribute Not Disabled for Password in Form Based Authentication
EOL/Obsolete Software: Apache Log4j 1.X Detected
Apache Log4j 1.2 Remote Code Execution Vulnerability
Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell)
Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-44832)
Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-2021-45046) (Log4Shell)
Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell)
Apache Struts2 Remote Code Execution (S2-066)
Resolution
Fix the "AutoComplete Attribute Not Disabled for Password in Form Based Authentication" by adding autocomplete="off" in the input element of the forms (1).
The oldest supported version of latest CA Access Gateway (SPS), which is 12.8SP6a, runs Log4j 2.17.1 (2).
More, the CVE-2021-44832, and CVE-2021-45046 don't affect CA Access Gateway (SPS) (3).
The "Apache Log4j Denial of Service (DOS) Vulnerability (Log4Shell)" also doesn't affect the oldest supported version of CA Access Gateway (SPS) 12.8SP6a (4).
The "Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell)" also doesn't affect the oldest supported version of CA Access Gateway (SPS) 12.8sp6a (5).
Finally, about "Apache Struts2 Remote Code Execution (S2-066)", no struts2 files can be found in the installed files.
Additional Information
- Rundeck: Qualys Scan detects "AutoComplete Attribute Not Disabled for Password in Form Based Authentication"
- Release 12.8.06a
- Log4j 2.17.0 and older Vulnerability on Siteminder Access Gateway r12.8.x
- What Is Apache Log4J (Log4Shell) Vulnerability?
- SECURITY ALERT: Apache Log4j "Log4Shell" Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105)
Feedback
