Vulnerability CVE-2014-0230 in CA API Developer Portal

Document ID : KB000005401
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The Apache Tomcat in CA API Developer Portal v2.6 is exposed to vulnerability CVE-2014-0230. In order to cover this and several other vulnerabilities (see http://tomcat.apache.org/security-6.html)  tomcat is upgraded to latest 6.0.x version. 

The following knowledge base article deals with upgrading the tomcat version in CA API Developer Portal.

Environment:
CA API Developer Portal v2.6 CA API Developer Portal v3.0CA API Developer Portal v3.1CA API Developer Portal v3.5
Cause:

Caused due to vulnerability CVE-2014-0230

Denial of Service 

 

When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Resolution:

Instructions for v2.6 to 3.0 CA API Developer Portal

==================================

1) Check the version of apache Tomcat in CA API Developer Portal

./server/bin/version.sh 

2) Copy the attached upgrade-tomcat and tomcat-6.0.48.tgz to /opt/Deployments/lrs

3) cd /opt/Deployments/lrs

server/bin/shutdown.sh
sh update-tomcat
server/bin/startup.sh
 
4) Verify the upgrade of tomcat version 
 
./server/bin/version.sh 
 Tomcat will be at 6.0.48 after the update.
 
 
Instructions for v3.1 or later CA API Developer Portal
 =================================

1) Check the version of Apache Tomcat in CA API Developer Portal

./server/bin/version.sh 

2) Copy the attached upgrade-tomcat and tomcat-6.0.48.tgz to /opt/Deployments/lrs

3) cd /opt/Deployments/lrs

service apiportal stop
sh update-tomcat
chown -R l7portal:portalusers server
service apiportal start
 
4) Verify the upgrade of tomcat version 
 
./server/bin/version.sh 
 
Tomcat will be at 6.0.48 after the update.
Additional Information:

Upgrade of tomcat to higher version is planned for later CR.

File Attachments:
TEC1559945.zip