A security scan on R12.5 servers discovers some vulnerabilities on the CA Directory AdminUI server with Apache/Tomcat. Port 7080 is being used by java process which invokes org.apache.catalina.startup.Bootstrap class which use tomcat libraries in the background.
The following vulnerabilities may be reported:
CA Directory Management (SP14):
Apache Commons Lang 2.1
Apache log4j 1.2.8
Apache Tomcat 6.0.32
Apache XML Security 1.3
Apache Velocity 1.5
The above CVE vulnerabilities are found in Apache Tomcat version 6.0.32 which is shipped for use by CA Directory dxmanager. Fixes for all the vulnerabilites have been resolved by Apache in Tomcat 6.0.44.
Upgrade to CA Directory 12.0.16 when available. CA Directory 12.0.16 will be shipped with Tomcat 6.0.44 for dxmanager. Apache's Tomcat 6.0.44 includes fixes for all the above vulnerabilities.
Alternatively, you can upgrade the existing Tomcat version (6.0.32) to Tomcat 6.0.44:
1) Stop Dxwebserver
2) Backup the current "bin" and "lib" folders under $DXWEBHOME
3) Replace the "bin" and "lib" folders provided in the Tomcat 6.0.44 which can be downloaded from the Tomcat website (https://tomcat.apache.org/download-60.cgi).
4) Start Dxwebserver