How to Disable JBoss SEAM Framework to Address Vulnerability CVE-2010-1871 in CA Process Automation

Document ID : KB000020576
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA Technologies support is notifying customers about a high risk remote code vulnerability affecting certain releases of CA PAM. The vulnerability occurs in the bundled JBoss Seam component and is known as CVE-2010-1871.

CA Technologies recommends customers disable the JBoss Seam component to resolve the vulnerability. Instructions are provided below.

Solution:

Note: These instructions will also disable the JBoss Admin Console. If the Admin Console is needed, these instructions can be reversed.

  1. Stop the PAM service.

  2. Delete the contents of the following directories:

    <PAM_Home>\server\c2o\.tmp
    <PAM_Home>\server\c2o\temp
    <PAM_Home>\server\c2o\tmp
    <PAM_Home>\server\c2o\work

  3. Create a backup directory outside the PAM directory tree (e.g. "PAM-Seam-Backup").

  4. Move the following folders from <PAM_Home>\server\c2o\deployers to the backup location:

    seam.deployer
    webbeans.deployer

  5. Move the following folder from <PAM_Home>\server\c2o\deploy to the backup location: admin-console.war

  6. Start the PAM service.

If the Admin Console is temporarily needed, stop the PAM service, revert the changes in step e) above and then start the PAM service. Repeat step e) when the Admin Console is no longer needed.