The Siteminder Web Agent for Sharepoint 12.8.7 and higher bundles Tomcat 9.0.x as the application server.  Tomcat versions vary by the Web Agent for Sharepoint release:

r12.52 SP01 cr04: Tomcat 7.0.59
r12.52 SP01 cr07: Tomcat 7.0.77.0.1
r12.52 SP01 cr10: Tomcat 7.0.94.0
r12.52 SP01 cr11: Tomcat 7.0.105

NOTE:  Web Agent for Sharepoint r12.8.x ships with Tomcat 9.0.x

There have been a number of vulnerabilities in Tomcat 7.0.108 and older which are remediated in Tomcat 7.0.109 and higher.

PRODUCT: Siteminder

COMPONENT: Web Agent for Sharepoint

VERSIONS IMPACTED: r12.52 and higher

OS: Any

The following CVE's have been published for Tomcat 7.0.105 - 7.0.108

CVE-2021-30640 "Authentication weakness"

SEVERITY: Low

DESCRIPTION: Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

IMPACTED: 7.0.0 to 7.0.108

REMEDIATED: Tomcat 7.0.109

CVE-2021-25329 "Fix for CVE-2020-9484 was incomplete"

SEVERITY: Low

DESCRIPTION: The fix for CVE-2020-9484 was incomplete.

IMPACTED: 7.0.0 to 7.0.107

REMEDIATED: Tomcat 7.0.108

CVE-2021-24122 "Information Disclosure"

SEVERITY: Important

DESCRIPTION: When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

IMPACTED: 7.0.0 to 7.0.106

REMEDIATED: Tomcat 7.0.108

How to Verify The Version of Tomcat on Siteminder Web Agent For Sharepoint

Upgrade Tomcat for Symantec Siteminder Web Agent for Sharepoint 12.52 to Tomcat 7.0.109:

1) Download  the Tomcat 7.0.109 patch using 'Tomcat-7.0.109.zip', which is attached to this KB

2) Copy 'Tomcat-7.0.109.zip' to the Web Agent for Sharepoint Server and unzip it.

3) Stop the Web Agent for Sharepoint Server

4) Back-up the <Install_Dir>\Agent-for-SharePoint\Tomcat\lib\ directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/Agent-for-SharePoint/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\Agent-for-SharePoint\Tomcat\

EXAMPLE

cp -R /<Install_Dir>/Agent-for-SharePoint/Tomcat/lib/ /<Install_Dir>/Agent-for-SharePoint/Tomcat/lib-BAK

5) Copy the contents from "/Tomcat-7.0.109/lib/" to "<Install_Dir>\Agent-for-SharePoint\Tomcat\lib"

annotations-api.jar
catalina.jar
catalina-ant.jar
catalina-ha.jar
catalina-tribes.jar
ecj-4.4.2.jar
el-api.jar
jasper.jar
jasper-el.jar
jsp-api.jar
proxyrt.jar
servlet-api.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-dbcp.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-i18n-ru.jar
tomcat-jdbc.jar
tomcat-util.jar

NOTE: Copy the Files from source directory to target directory. Do Not copy the /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat-7.0.109>/lib/* /<Install_Dir>/Agent-for-SharePoint/Tomcat/lib/

7)  Start the Siteminder Web Agent for Sharepoint.

8) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/Agent-for-SharePoint/Tomcat/lib-BAK

NOTE: This fix does not include the SameSite solution in 'proxyrt.jar'.  

Apache Tomcat 7.x vulnerabilities

How to Verify The Version of Tomcat on Siteminder Web Agent For Sharepoint

Vulnerabilities in Tomcat 9.0.102 and Older on Siteminder Agent for Sharepoint 12.8.x

The Following CVE's are remediated with Tomcat 7.0.109

CVE-2021-30640
CVE-2021-25329
CVE-2021-24122
CVE-2020-13935
CVE-2020-9484
CVE-2020-1938
CVE-2020-1935
CVE-2019-17569
CVE-2019-17563
CVE-2019-12418
CVE-2019-0232
CVE-2019-0221
CVE-2018-11784
CVE-2018-8034
CVE-2018-8014
CVE-2018-1336
CVE-2018-1305
CVE-2018-1304
CVE-2017-15706
CVE-2017-12617
CVE-2017-12616
CVE-2017-12615
CVE-2017-7674
CVE-2017-5664
CVE-2017-5647
CVE-2017-5648
CVE-2016-8745
CVE-2016-8735
CVE-2016-6816
CVE-2016-6797
CVE-2016-6796
CVE-2016-6794
CVE-2016-5018
CVE-2016-0762
CVE-2016-3092
CVE-2015-5345
CVE-2015-5351
CVE-2016-0706
CVE-2016-0714
CVE-2016-0763
CVE-2015-5346
CVE-2015-5174
CVE-2014-7810