Is CA UIM/UMP vulnerable to CVE-2016-5388 ?

Document ID : KB000045358
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

We have vulnerability highlighted for Apache Tomcat. Can please confirm to check if it affects CA UIM 

Affected Technology(ies): [Apache Tomcat] 

Vulnerability Severity: [Medium] 

Reference(s): http://www.apache.org/security/asf-httpoxy-response.txt 

Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases 

 

Environment:  

CA UIM/UMP

 

Answer: 

CA UMP portal is not vulnerable to this exploit. 

We use an embedded implementation of Tomcat which is embedded into the wasp and is NOT configured to use the CGI servlet, nor is the CGI servlet available for use in our installation. 

This can be confirmed by navigating on the UMP server to the folder \Nimsoft\probes\service\wasp\lib and checking for the presence of a file called "servlets-cgi.jar" or "servlets-cgi.renametojar" 

If the file servlets-cgi.jar exists that means CGI is enabled. If the servlets-cgi.renametojar exists that means CGI is available but is not enabled. 

You should find that neither case is true - we do not ship any servlets-cgi.* files at all, so neither file should be present.