Symantec IGA

This notice is to alert you to the availability of patches and instructions regarding the Ghostcat vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938 and https://nvd.nist.gov/vuln/detail/CVE-2020-1938).   

This vulnerability is rated at 9.8 Critical Severity.  Please give this high attention.

Symantec IGA uses Apache Tomcat in the Virtual Appliance and makes use of the Apache JServ Protocol (AJP).  

Patches and deployment instructions for the following versions of these Virtual Appliance components are being made available via these location:

14.3:

• http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-3/release-notes/virtual-appliance-release-notes/CA-VA-Hotfixes.html
• https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-3/virtual-appliance/configuring-virtual-appliance.html#concept.dita_e8bc3a132b722521f1368d7a3210969a821df413_ToggleAJPListener

14.2:

• http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-2/release-notes/virtual-appliance-release-notes/CA-VA-Hotfixes.html
• https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-2/virtual-appliance/configuring-virtual-appliance.html#concept.dita_e051b2ab7d7bc1a0afe6e0fd556b3e338354acf3_ToggleAJPListener

14.1:

• http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-portal/14-1/release-notes/ca-identity-suite-virtual-appliance-release-notes/virtual-appliance-service-packs-and-cumulative-patches-14-1/ca-identity-suite-virtual-appliance-cumulative-patches/CA-VA-Hotfixes.html
• http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-portal/14-1/configuring/configuring-ca-identity-suite-virtual-appliance.html#concept.dita_b55dff851250643ec08e43938e5d6f26184a6f90_ToggleAJPListener

Note that the method to exploit this vulnerability is not described in the CVE detail. However, in order to provide a higher level of assurance to our customers we are providing these patches. 

If you have questions please contact Broadcom Support:

https://www.broadcom.com/support/services-support/ca-support/contact-support?intcmp=footernav

Thanks in advance

Itamar Budin

Product Management Lead  - Identity Governance & Administration | Symantec Software Division

Symantec, A Broadcom Company