Is Access Gateway R12.7 affected by Tomcat Vulnerability (CVE-2017-12617)?

Document ID : KB000016128
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We are using CA SSO Access Gateway R12.7 on Linux platform. In this version, Tomcat 7.0.77 is being used, and found the following vulnerability:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82

In ourĀ configuration, we have not set the readonly initialization parameter. Can be the SPS Tomcat affected? What is the default value?

Environment:
Access Gateway R12.7
Answer:

This vulnerability only affect those Tomcat servers having the HTTP PUT commands enabled to allow them, as it can take advantage of this to set a specific file to be run on the server.

By default, SPS/Access Gateway Tomcat sets the readonly parameter to true, so HTTP PUT commands are not allowed as OOTB.

However, if you modified the default servlet configuration to set the readonly parameter to false, then you can be affected by this vulnerability.

Additional Information: