Siteminder Access Gateway r12.8.7 and higher bundles Apache Tomcat 9.0.x as the application server.  Tomcat versions vary by the Access Gateway release:

r12.8.7:    Apache Tomcat 9.0.65
r12.8.8:    Apache Tomcat 9.0.83
r12.8.8.1  Apache Tomcat 9.0.86

r12.9 ships with Apache Tomcat 9.0.100.0

KB281190 (archived) delivered Tomcat 9.0.86
KB381451 (archived) delivered Tomcat 9.0.96
KB383137 (archived) delivered Tomcat 9.0.97
KB384944 (archived)delivered Tomcat 9.0.98
KB397315 (archived) delivered Tomcat 9.0.104
KB403333 (archived) delivered Tomcat 9.0.106
KB406223 (archived) Delivered Tomcat 9.1.107

There have been a number of vulnerabilities in Tomcat 9.0.110 and older which are remediated in Tomcat 9.0.111 and higher.  

This KB delivers Tomcat 9.0.111 for Siteminder Access Gateway.

For the Sharepoint Agent see: KB417957 Vulnerabilities in Tomcat 9.0.110 and Older on Siteminder Agent for Sharepoint 12.8.x 

PRODUCT: Siteminder

COMPONENT: Access Gateway

VERSIONS IMPACTED: r12.8.x; r12.9

OS: Any

CVE-2025-61795 
Severity: Low
Description: Delayed cleaning of multipart upload temporary files may lead to DoS 

If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.

Affects: 9.0.0.M1 to 9.0.109

Remediated: Apache Tomcat 9.0.110

======================================
CVE-2025-55754 
Severity: Low
Description: Console manipulation via escape sequences in log messages

Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

Affects: 9.0.40 to 9.0.108

Remediated: Apache Tomcat 9.0.109

CVE-2025-55752
Severity: Important
Description: Directory traversal via Rewrite Valve with possible remote code execution if PUT is enabled

The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

Affects: 9.0.0.M11 to 9.0.108

Remediated: Apache Tomcat 9.0.109

======================================
CVE-2025-48989 
Severity: Important
Description: DoS in HTTP/2 due to client triggered stream reset

Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError.

Affects: 9.0.0.M1 to 9.0.107

Remediated: Apache Tomcat 9.0.108

How to Verify The Version of Tomcat on Siteminder Access Gateway

Upgrade Tomcat for Symantec Siteminder Access Gateway to Tomcat 9.0.111

1) Download the Tomcat 9.0.111 patch  ['Tomcat_9.0.111.zip' (attached to this KB)]

2) Copy 'Tomcat_9.0.111.zip' to the Access Gateway Server and unzip it.

3) Stop the Access Gateway Server

4) Back-up the <Install_Dir>\secure-proxy\Tomcat\lib directory

Defaults:

LINUX:         <Install_Dir> = /opt/CA/secure-proxy/Tomcat/
WINDOWS: <Install_Dir> = C:\Program Files\CA\secure-proxy\Tomcat\

cp -R /<Install_Dir>/secure-proxy/Tomcat/lib/ /<Install_Dir>/secure-proxy/Tomcat/lib-BAK

5) Back-up the <Install_Dir>\secure-proxy\Tomcat\bin directory

cp -R /<Install_Dir>/secure-proxy/Tomcat/bin/ /<Install_Dir>/secure-proxy/Tomcat/bin-BAK

6) Copy the following jar files from "Tomcat_9.0.111.zip/lib" to "<Install_Dir>/secure-proxy/Tomcat/lib"

websocket-api.jar
tomcat-websocket.jar
tomcat-util-scan.jar
tomcat-util.jar
tomcat-jni.jar
tomcat-jdbc.jar
tomcat-i18n-zh-CN.jar
tomcat-i18n-ru.jar
tomcat-i18n-pt-BR.jar
tomcat-i18n-ko.jar
tomcat-i18n-ja.jar
tomcat-i18n-fr.jar
tomcat-i18n-es.jar
tomcat-i18n-de.jar
tomcat-i18n-cs.jar
tomcat-dbcp.jar
tomcat-coyote-ffm.jar
tomcat-coyote.jar
tomcat-api.jar
servlet-api.jar
jsp-api.jar
jaspic-api.jar
jasper-el.jar
jasper.jar
el-api.jar
ecj-4.20.jar
catalina-tribes.jar
catalina-storeconfig.jar
catalina-ssi.jar
catalina-ha.jar
catalina-ant.jar
catalina.jar
annotations-api.jar

NOTE: Copy the Files from source directory to target directory. Do Not copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Path_to_Tomcat_9.0.111>/lib/* /<Install_Dir>/secure-proxy/Tomcat/lib/

7) Copy the following jar files from "Tomcat_9.0.111.zip/bin" to "<Install_Dir>/secure-proxy/Tomcat/bin"

bootstrap.jar
commons-daemon.jar
tomcat-juli.jar

NOTE: Copy the Files from source directory to target directory.  Do not copy the /bin and /lib directories themselves.  

EXAMPLE:

cp -rf /<Path_to_Tomcat_9.0.111>/bin/* /<Install_Dir>/secure-proxy/Tomcat/bin/

8a) Linux - backup your /secure-proxy/proxy-engine/ProxyServer.sh and add the classpath for the tomcat-juli.jar 

Example:

SM_PROXY_CP=${TOMCAT_HOME}/bin/proxybootstrap.jar:${TOMCAT_HOME}/properties:${NETE_SPS_ROOT}/resources:${JAVA_HOME}/lib/tools.jar:${JAVA_HOME}/lib/tools.jar:${TOMCAT_HOME}/bin/bootstrap.jar:${TOMCAT_HOME}/bin/tomcat-juli.jar:${TOMCAT_HOME}/lib/smi18n.jar:${NETE_SPS_ROOT}/agentframework/java/bc-fips-1.0.2.4.jar

8b) Windows - backup your secure-proxy\proxy-engine\conf\SmSpsProxyEngine.properties and add the classpath for the tomcat-juli.jar 

Example:

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxMetaspaceSize=256M -Dcatalina.base="%NETE_SPS_TOMCAT_HOME%" -Dcatalina.home="%NETE_SPS_TOMCAT_HOME%" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.endorsed.dirs="%NETE_SPS_TOMCAT_HOME%\endorsed" -Djava.io.tmpdir="%NETE_SPS_TOMCAT_HOME%\temp" -DSM_AGENT_LOG_CONFIG="%STS_AGENT_LOG_CONFIG_FILE%" -Dfile.encoding=UTF8 -DIWACONFIGHOME="%IWACONFIGHOME%" -Dlogger.properties="%NETE_SPS_TOMCAT_HOME%\properties\logger.properties" -classpath "%NETE_SPS_TOMCAT_HOME%\bin\proxybootstrap.jar;%NETE_SPS_TOMCAT_HOME%\bin\tomcat-juli.jar;%NETE_SPS_TOMCAT_HOME%\properties;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_JAVA_HOME%\lib\tools.jar;%NETE_SPS_TOMCAT_HOME%\bin\bootstrap.jar;%NETE_SPS_ROOT%\resources;%NETE_SPS_ROOT%\agentframework\java\bc-fips-1.0.2.4.jar" com.netegrity.proxy.ProxyBootstrap -config "%NETE_SPS_ROOT%/proxy-engine/conf/server.conf"

9) Start the Access Gateway Server.

10) Once functionality has been verified, you can delete the backed up directories

/<Install_Dir>/secure-proxy/Tomcat/lib-BAK
/<Install_Dir>/secure-proxy/Tomcat/bin-BAK

How to Verify The Version of Tomcat on Siteminder Access Gateway

KB417957 Vulnerabilities in Tomcat 9.0.110 and Older on Siteminder Agent for Sharepoint 12.8.x 

Fixed_in_Apache_Tomcat_9.0.111

Additional Vulnerabilities in Tomcat 9.0.110 and older: 

CVE-2025-61795
CVE-2025-55754
CVE-2025-48989
CVE-2025-52434
CVE-2025-52520
CVE-2025-53506
CVE-2025-49125
CVE-2025-49124
CVE-2025-48988
CVE-2025-18976
CVE-2025-46701
CVE-2025-31651
CVE-2025-31650
CVE-2028-24813
CVE-2024-56337
CVE-2024-54677
CVE-2024-50379
CVE-2024-52318
CVE-2024-52317
CVE-2024-52316
CVE-2024-34750
CVE-2024-38286
CVE-2024-23672
CVE-2024-24549
CVE-2023-46589
CVE-2023-45648
CVE-2023-44487
CVE-2023-42795
CVE-2023-42794
CVE-2023-41080
CVE-2023-34981
CVE-2023-28709
CVE-2023-28708
CVE-2023-24998
CVE-2022-45143
CVE-2022-42252
CVE-2022-34305
CVE-2022-29885
CVE-2021-43980
CVE-2022-23181
CVE-2021-42340
CVE-2021-33037
CVE-2021-30640
CVE-2021-30639
CVE-2021-41079
CVE-2021-25329
CVE-2021-25122