Vulnerabilities in Tomcat 9.0.116 and Older on Siteminder Access Gateway
search cancel

Vulnerabilities in Tomcat 9.0.116 and Older on Siteminder Access Gateway

book

Article ID: 437528

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Siteminder Access Gateway r12.8.7 and higher bundles Apache Tomcat 9.0.x as the application server.  Tomcat versions vary by the Access Gateway release:

r12.8.7:    Apache Tomcat 9.0.65
r12.8.8:    Apache Tomcat 9.0.83
r12.8.8.1  Apache Tomcat 9.0.86

r12.9 ships with Apache Tomcat 9.0.100.0

KB281190 (archived) delivered Tomcat 9.0.86
KB381451 (archived) delivered Tomcat 9.0.96
KB383137 (archived) delivered Tomcat 9.0.97
KB384944 (archived) delivered Tomcat 9.0.98
KB397315 (archived) delivered Tomcat 9.0.104
KB403333 (archived) delivered Tomcat 9.0.106
KB406223 (archived) delivered Tomcat 9.1.107
KB417926 (archived) delivered Tomcat 9.0.110
KB431996 (archived) delivered Tomcat 9.0.115

 

There have been a number of vulnerabilities in Tomcat 9.0.116 and older which are remediated in Tomcat 9.0.117 and higher.  

This KB delivers Tomcat 9.0.117 for Siteminder Access Gateway.

Environment

PRODUCT: Siteminder

COMPONENT: Access Gateway

VERSIONS IMPACTED: r12.8.x; r12.9

OS: Any

Cause

CVE-2026-34500 OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

SEVERITY: Moderate
DESCRIPTIONCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used.

IMPACTED: Tomcat 9.0.92 - 9.0.116

REMEDIATED: Apache Tomcat 9.0.117

CVE-2026-34487 Cloud membership for clustering component exposed the Kubernetes bearer token

SEVERITY: Low
DESCRIPTION: Cloud membership for clustering component exposed the Kubernetes bearer token

IMPACTED: Tomcat 9.0.13 - 9.0.116

REMEDIATED: Apache Tomcat 9.0.117

CVE-2026-34486 The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor

SEVERITY: Important
DESCRIPTIONAn error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed.

IMPACTED: 9.0.116

REMEDIATED: Apache Tomcat 9.0.117

CVE-2025-34483 Incomplete escaping of JSON access logs

SEVERITY: Low
DESCRIPTION: Incomplete escaping when non-default values were used for the Connector attributes relaxedPathChars and/or relaxedQueryChars allowed the injection of arbitrary JSON into the JSON access log.

IMPACTED: Tomcat 9.0.40 - 9.0.116

REMEDIATED: Apache Tomcat 9.0.117

CVE-2026-32990 The fix for CVE-2025-66614 was incomplete 

SEVERITYModerate

DESCRIPTIONThe validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed.

IMPACTED: 9.0.113 to 9.0.115

REMEDIATED: Apache Tomcat 9.0.116 and higher

CVE-2026-29146:  EncryptInterceptor vulnerable to padding oracle attack by default

SEVERITY: Important

DESCRIPTIONThe EncryptInterceptor used CBC by default which is vulnerable to a padding Oracle attack.

IMPACTED: 9.0.13 to 9.0.115

REMEDIATED: Apache Tomcat 9.0.116 and higher

CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled 

SEVERITYModerate

DESCRIPTIONCLIENT_CERT authentication did not fail OCSP checks as expected for some scenarios when soft fail was disabled.

REMEDIATED: Apache Tomcat 9.0.116 and higher

CVE-2026-29129: Configured TLS cipher preference order not preserved 

SEVERITYLow

DESCRIPTIONThe additional of the ability to configure TLS 1.3 cipher suites did not preserve the order of the configured cipher suites and ciphers.

IMPACTED: 9.0.114 to 9.0.115

REMEDIATED: Apache Tomcat 9.0.116 and higher

CVE-2026-25854: Occasionally open redirect 

SEVERITYLow

DESCRIPTIONWhen a Tomcat node in a cluster with the LoadBalancerDrainingValve was in the disabled (draining) state, a specially crafted URL could be used to trigger a redirect to a URI of the attackers choice.

IMPACTED: 9.0.0.M23 to 9.0.115

REMEDIATED: Apache Tomcat 9.0.116 and higher

CVE-2026-24880: Request smuggling via invalid chunk extension 

SEVERITYLow

DESCRIPTIONTomcat did not validate that contents of HTTP/1.1 chunk extensions. This enabled a request smuggling attack if a reverse proxy in front of Tomcat allowed CRLF sequences in an otherwise valid chunk extension.

IMPACTED: 9.0.0.M1 to 9.0.115

REMEDIATED: Apache Tomcat 9.0.116 and higher

Resolution

How to Verify The Version of Tomcat on Siteminder Access Gateway

 

Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.117

1) Download the Tomcat 9.0.117 patch  ['Tomcat90117.zip' (attached to this KB)]

2) Copy 'Tomcat90117.zip' to the Access Gateway Server and unzip it.

3) Stop the Access Gateway Server

4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\

cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK

5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory

cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK

6) Copy the following jar files from "Tomcat90117.zip/lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"

websocket-api.jar
tomcat-websocket.jar
tomcat-util-scan.jar
tomcat-util.jar
tomcat-jni.jar
tomcat-jdbc.jar
tomcat-i18n-zh-CN.jar
tomcat-i18n-ru.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ko.jar
tomcat-i18n-ja.jar
tomcat-i18n-fr.jar
tomcat-i18n-es.jar
tomcat-i18n-de.jar
tomcat-i18n-cs.jar
tomcat-dbcp.jar
tomcat-coyote-ffm.jar
tomcat-coyote.jar
tomcat-api.jar
servlet-api.jar
jsp-api.jar
jaspic-api.jar
jasper-el.jar
jasper.jar
el-api.jar
ecj-4.20.jar
catalina-tribes.jar
catalina-storeconfig.jar
catalina-ssi.jar
catalina-ha.jar
catalina-ant.jar
catalina.jar
annotations-api.jar

NOTE: Copy the Files from source directory to target directory. Do Not copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Path_to_Tomcat90117>/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/

7) Copy the following jar files from "Tomcat90117.zip/bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"

bootstrap.jar
commons-daemon.jar
tomcat-juli.jar

NOTE: Copy the Files from source directory to target directory.  Do not copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Path_to_Tomcat90115>/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/

 

8a) Linux - backup your /secure-proxy/proxy-engine/ProxyServer.sh and add the classpath for the tomcat-juli.jar 

Example:

SM_PROXY_CP=${TOMCAT_HOME}/bin/proxybootstrap.jar:${TOMCAT_HOME}/properties:${NETE_SPS_ROOT}/resources:${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/tools.jar:${TOMCAT_HOME}/bin/bootstrap.jar:${TOMCAT_HOME}/bin/tomcat-juli.jar:${TOMCAT_HOME}/lib/smi18n.jar:${NETE_SPS_ROOT}/agentframework/java/bc-fips-1.0.2.4.jar

8b) Windows - backup your secure-proxy\proxy-engine\conf\SmSpsProxyEngine.properties and add the classpath for the tomcat-juli.jar 

Example:

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxMetaspaceSize=256M -Dcatalina.base="%NETE_SPS_TOMCAT_HOME%" -Dcatalina.home="%NETE_SPS_TOMCAT_HOME%" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.io.tmpdir="%NETE_SPS_TOMCAT_HOME%\temp" -DSM_AGENT_LOG_CONFIG="%STS_AGENT_LOG_CONFIG_FILE%" -Dfile.encoding=UTF8 -DIWACONFIGHOME="%IWACONFIGHOME%" -Dlogger.properties="%NETE_SPS_TOMCAT_HOME%\properties\logger.properties" -classpath "%NETE_SPS_TOMCAT_HOME%\bin\proxybootstrap.jar;%NETE_SPS_TOMCAT_HOME%\bin\tomcat-juli.jar;%NETE_SPS_TOMCAT_HOME%\properties;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_TOMCAT_HOME%\bin\bootstrap.jar;%NETE_SPS_ROOT%\resources;%NETE_SPS_ROOT%\agentframework\java\bc-fips-1.0.2.4.jar" com.netegrity.proxy.ProxyBootstrap -config "%NETE_SPS_ROOT%/proxy-engine/conf/server.conf"

 

9) Start the Access Gateway Server.

10) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK

Additional Information

How to Verify The Version of Tomcat on Siteminder Access Gateway

Fixed_in_Apache_Tomcat_9.0.117

Additional Vulnerabilities in Tomcat 9.0.115 and older:

CVE-2026-34500 
CVE-2026-34487 
CVE-2026-34486 
CVE-2025-34483 
CVE-2026-32990 
CVE-2026-29146
CVE-2026-29145
CVE-2026-29129
CVE-2026-25854
CVE-2026-24880
CVE-2026-24734
CVE-2026-24733
CVE-2025-66614
CVE-2025-61795
CVE-2025-55754
CVE-2025-48989
CVE-2025-52434
CVE-2025-52520
CVE-2025-53506
CVE-2025-49125
CVE-2025-49124
CVE-2025-48988
CVE-2025-18976
CVE-2025-46701
CVE-2025-31651
CVE-2025-31650
CVE-2028-24813
CVE-2024-56337
CVE-2024-54677
CVE-2024-50379
CVE-2024-52318
CVE-2024-52317
CVE-2024-52316
CVE-2024-34750
CVE-2024-38286
CVE-2024-23672
CVE-2024-24549
CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252

Attachments

Tomcat90117.zip get_app
Powered by Wolken Software