Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities


CA Advisory Reference: CA20090123-01


CA Advisory Date: 2009-01-23


Reported By: n/a


Impact: Refer to the CVE identifiers for details.


Summary: Multiple security risks exist in Apache Tomcat as 
included with CA Cohesion Application Configuration Manager. CA 
has issued an update to address the vulnerabilities. Refer to the 
References section for the full list of resolved issues by CVE 
identifier.


Mitigating Factors: None


Severity: CA has given these vulnerabilities a Medium risk rating.


Affected Products:
CA Cohesion Application Configuration Manager 4.5


Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1


Affected Platforms:
Windows


Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5:

RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search
&searchID=RO04648


How to determine if you are affected:

1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the 
   "C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is 
   vulnerable.


Workaround: None


References (URLs may wrap):
CA Support:
https://support.ca.com/
CA20090123-01: Security Notice for Cohesion Tomcat
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975
40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Reported By: 
n/a
CVE References:
CVE-2005-2090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090
CVE-2005-3510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510
CVE-2006-3835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835
CVE-2006-7195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195
CVE-2006-7196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196
CVE-2007-0450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
CVE-2007-1355
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355
CVE-2007-1358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
CVE-2007-1858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858
CVE-2007-2449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449
CVE-2007-2450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450
CVE-2007-3382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382
CVE-2007-3385 *
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385
CVE-2007-3386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386
CVE-2008-0128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
https://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products


Customers who require additional information should contact CA
Technical Support at https://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82


Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team


CA, 1 CA Plaza, Islandia, NY 11749
  
Contact https://www.ca.com/us/contact/
Legal Notice https://www.ca.com/us/legal/
Privacy Policy https://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.