How to Address Apache Tomcat Vulnerabilities in Client Automation 14 sp2

Document ID : KB000117102
Last Modified Date : 10/10/2018
Show Technical Document Details
Issue:
Multiple vulnerabilities are present in the version of Apache Tomcat installed by default in ITCA 14 Sp2. What is the best way to address them?
Environment:
ITCM / ITCA CA Client Automation R14 SP2
Cause:
Vulnerabilities have been found with Apache Tomcat version 8.5.6 which is used by default on this version of the product/
Resolution:
Upgrading the version of Apache Tomcat used by Web Services / Web Console on the Manager system, to version 8.5.34, should effectively address all currently detected vulnerabilities.

At the time of this writing, I was able to download 32-bit Apache Tomcat 8.5.34 for Windows via the following URL:

http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-8/v8.5.34/bin/apache-tomcat-8.5.34-windows-x86.zip

Using this zip file, I was able to perform the following procedure*:

1. Extract the files and copy the root 'apache-tomcat-8.5.34' folder into \CA\SC\Tomcat making sure the contents roughly match what is seen in \CA\SC\Tomcat\8.5.6\ (There may be some differences, that is OK)
2. Open an administrative command prompt and run 'CAF STOP TOMCAT'
3. When complete, rename the folder \8.5.6\ to \8.5.OLD6\
4. Rename the new folder from 'apache-tomcat-8.5.34' to \8.5.6\
5. Run 'CAF START TOMCAT'
6. Wait 3-5 minutes for full initialization of services.
7. Test.

I was able to do all of the following successfully:

1. Log on to Web Admin Console
2. Connect to Patch Manager Portion and browse all items
3. Change the status of a patch
4. Change configuration values of several items and confirm they saved successfully.
5. Browse to a computer in WAC
6. Drill into each tab to view Summary page, inventory, patches, installation history etc
7. View Health Monitoring Section of the WAC

*NOTE: This is an INFORMAL a.k.a. NON-CERTIFIED procedure, tested by support and could conceivably lead to unexpected issues; therefor this procedure should be considered 'use at your own risk'. That being said, the actual risk of this upgrade should be minimal as this is an incremental update and not a major version update to Apache.

*NOTE: There has been no testing like this involving the replacement of Apache Tomcat used by Extended Network Connectivity (ENC). If you are a user of ENC and have Tomcat version/Vulnerability concerns, a support ticket should be opened to investigate your options.

As all basic tests of Web Services / Web Admin Console functions were successful, this procedure should be acceptable to carry out for most users.