CA Technologies support is notifying customers about a high risk remote code vulnerability affecting certain releases of CA PAM. The vulnerability occurs in the bundled JBoss Seam component and is known as CVE-2010-1871.
CA Technologies recommends customers disable the JBoss Seam component to resolve the vulnerability. Instructions are provided below.
Note: These instructions will also disable the JBoss Admin Console. If the Admin Console is needed, these instructions can be reversed.
- Stop the PAM service.
- Delete the contents of the following directories:
- Create a backup directory outside the PAM directory tree (e.g. "PAM-Seam-Backup").
- Move the following folders from <PAM_Home>\server\c2o\deployers to the backup location:
- Move the following folder from <PAM_Home>\server\c2o\deploy to the backup location: admin-console.war
- Start the PAM service.
If the Admin Console is temporarily needed, stop the PAM service, revert the changes in step e) above and then start the PAM service. Repeat step e) when the Admin Console is no longer needed.