CA Access Gateway (SPS) vulnerabilities CVE-2007-6750 and CVE-2012-5568

book

Article ID: 7973

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

I run CA Access Gateway (SPS), and we've discovered the following vulnerabilities CVE-2007-6750 and CVE-2012-5568 :

 

CVE-2007-6750 :

 

The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a

denial of service (daemon outage) via partial HTTP requests, as

demonstrated by Slowloris, related to the lack of the mod_reqtimeout

module in versions before 2.2.15.

CVE-2007-6750

 

CVE-2012-5568 :

 

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

 

CVE-2012-5568

 

Environment

CA Access Gateway (SPS) 12.52 SP1 CR6

Resolution

Upgrade CA Access Gateway (SPS) to 12.52SP1CR07 to benifit the following fix :

 

00662673 - DE276198

 

OpenSSL is upgraded to OpenSSL 1.0.2k.

Apache is upgraded to Apache 2.4.25.

Apache Tomcat is upgraded to Apache Tomcat 7.0.77.0.

 

Defects Fixed in 12.52 SP1 CR07