There doesn't seem to be any way to access the underlying PAM OS via SSH w/root or sudo type account to update the OS or software on the appliance.
How are OS, packages, and configurations to secure the VM host provided?
This affects all PAM releases.
For troubleshooting purposes, we can SSH with the aid of CA Support using the Remote CA PAM Debugging Services.
We use this for troubleshooting. First Support provides a package that contains the remote debug patch and a .ppk file.
SSH is done during a remote session with support, using Putty with key authentication, and control is passed to the Support person who has the password.
When vulnerabilities come out, CA reviews them to see if they apply to the product and issues a statement on the support portal, about whether the CA product is affected by the vulnerability, and if so, when the patch will be available.
Any patches needed to the jre, openssl, etc, are done through the patch process. You can view examples of patches here, and if you search for the word 'vulnerability' on this page, you will see examples of hotfixes put out to correct vulnerabilities.