CA Directory/tomcat vulnerabilities detected. CVE-2014-0227, CVE-2014-0075, and others.

Document ID : KB000031994
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

A security scan on R12.5 servers discovers some vulnerabilities on the CA Directory AdminUI server with Apache/Tomcat. Port 7080 is being used by java process which invokes org.apache.catalina.startup.Bootstrap class which use tomcat libraries in the background. 

The following vulnerabilities may be reported:

CVE-2014-0227 

CVE-2014-0075 

CVE-2014-0096 

CVE-2014-0099 

CVE-2014-0119 

CVE-2013-4590 

CVE-2013-4322 

CVE-2014-0230 

CVE-2014-7810

 

Environment:

CA Directory Management (SP14): 

Apache Commons Lang 2.1 

Apache log4j 1.2.8 

Apache Tomcat 6.0.32 

Apache XML Security 1.3 

Apache Velocity 1.5 

 

Cause:

The above CVE vulnerabilities are found in Apache Tomcat version 6.0.32 which is shipped for use by CA Directory dxmanager. Fixes for all the vulnerabilites have been resolved by Apache in Tomcat 6.0.44.

 

Resolution:

Upgrade to CA Directory 12.0.16 when available. CA Directory 12.0.16 will be shipped with Tomcat 6.0.44 for dxmanager. Apache's Tomcat 6.0.44 includes fixes for all the above vulnerabilities.

Alternatively, you can upgrade the existing Tomcat version (6.0.32) to Tomcat 6.0.44:

1) Stop Dxwebserver 

2) Backup the current "bin" and "lib" folders under $DXWEBHOME

3) Replace the "bin" and "lib" folders provided in the Tomcat 6.0.44 which can be downloaded from the Tomcat website (https://tomcat.apache.org/download-60.cgi).

4) Start Dxwebserver