The vulnerability described in Bugtraq 13873/ CVE-2005-2090 affects Tomcat. Symantec Messaging Gateway (SMG) is using Tomcat. Is the Tomcat version used in SMG versions 9.5 and above affected by this vulnerability?
According to information found at http://tomcat.apache.org/security-5.html the vulnerability is fixed in Tomcat 5.5.23d. The versions affected by CVE-2005-2090 are: 5.0.0-5.0.30, 5.5.0-5.5.22 .
More information about this vulnerability is available here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 .
Note: Symantec provides these links as a convenience only. The inclusion of such links does not imply that Symantec endorses , recommends, or accepts any responsibility for the content of such sites.
Up till and including the SMG version 9.5.4, the Tomcat version used is 5.5.12. This means that SMG version 9.5.4 and lower versions are affected.
However, there are a few mitigating factors to diminish the impact of this vulnerability:
Comment that can be provided to the customer on the phone or via email:
"This issue has been addressed in Symantec Messaging Gateway as of version 10.5."