Tomcat 9.0.83 and Older Vulnerability on Siteminder Access Gateway
search cancel

Tomcat 9.0.83 and Older Vulnerability on Siteminder Access Gateway

book

Article ID: 281190

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Siteminder Access Gateway r12.8.5 and higher bundles Apache Tomcat 9.0.x as the application server.  Tomcat versions vary by the Access Gateway release:

r12.8.5:            Apache Tomcat 9.0.41
r12.8.6:            Apache Tomcat 9.0.52
r12.8.6a:          Apache Tomcat 9.0.58
r12.8.7:            Apache Tomcat 9.0.65
r12.8.8:            Apache Tomcat 9.0.83
r12.8.8 SP01:  Apache Tomcat 9.0.86

KB276868 also delivers Tomcat 9.0.83

There have been a number of vulnerabilities in Tomcat 9.0.x, which are remediated in Tomcat 9.0.86.  This KB delivers an upgradable version of Apache Tomcat that can be used to upgrade Siteminder Access Gateway r12.8.5 - r12.8.8.  Note r12.8.8.01 (r12.8.8 SP01) is already shipped with Apache Tomcat 9.0.86.

Environment

Product: Siteminder
Component: Access Gateway
Version=12.80.0500.2546 and later
Operating system: Any

Cause

CVE-2024-23672

Description: It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption.

Impacted: Tomcat 9.0.0-M1 - 9.0.85

Remediated: 9.0.86

CVE-2024-24549

Description: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Impacted: Tomcat 9.0.0-M1 - 9.0.85

Remediated: 9.0.86

 

Resolution

How to Verify The Version of Tomcat on Siteminder Access Gateway

1) Logon to the host running Siteminder Access Gateway

2) Browse to the Tomcat directory in Access Gateway

cd <Install_Dir>/CA/secure-proxy/Tomcat/lib/

3) Run the following command

java -cp catalina.jar org.apache.catalina.util.ServerInfo

4) Record the version of Tomcat Server

 

Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.86

1) Download the Tomcat 9.0.86 patch  ['Tomcat_9.0.86.zip' (attached to this KB)]

2) Copy 'Tomcat_9.0.86 .zip' to the Access Gateway Server and unzip it.

3) Stop the Access Gateway Server

4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\

cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK

5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory

cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK

6) Copy the following jar files from "Tomcat_9.0.86 /lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"

annotations-api.jar
catalina.jar
catalina-ant.jar
catalina-ha.jar
catalina-ssi.jar
catalina-storeconfig.jar
catalina-tribes.jar
ecj-4.20.jar
el-api.jar
jasper.jar
jasper-el.jar
jaspic-api.jar
jsp-api.jar
servlet-api.jar
tomcat-api.jar
tomcat-coyote.jar
tomcat-dbcp.jar
tomcat-i18n-cs.jar
tomcat-i18n-de.jar
tomcat-i18n-es.jar
tomcat-i18n-fr.jar
tomcat-i18n-ja.jar
tomcat-i18n-ko.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ru.jar
tomcat-i18n-zh-CN.jar
tomcat-jdbc.jar
tomcat-jni.jar
tomcat-util.jar
tomcat-util-scan.jar
tomcat-websocket.jar
websocket-api.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.86 >/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/

7) Copy the following jar files from "Tomcat_9.0.86 /bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"

bootstrap.jar
commons-daemon.jar
tomcat-juli.jar

NOTE: Copy the Files from source directory to target directory.  Don't copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Tomcat_9.0.86 >/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/

8) Start the Access Gateway Server.

9) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK

Additional Information

Apache.org: Fixed in Apache Tomcat 9.0.86

Tomcat 9.0.86 also remediates the following CVE's:

CVE-2024-23672
CVE-2024-24549
CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252
CVE-2022-34305
CVE-2022-29885
CVE-2021-43980
CVE-2022-23181
CVE-2021-42340
CVE-2021-33037
CVE-2021-30640
CVE-2021-30639
CVE-2021-41079
CVE-2021-25329
CVE-2021-25122

Attachments

Tomcat_9086.zip get_app
Powered by Wolken Software