CA Client Automation

 View Only
  • 1.  CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Posted May 17, 2020 02:25 PM
    Hello, Community.

    I am new here and this is my first post. I have to say I am having a little bit of a stage fright but still I have to ask my questions here because I cannot find any other place.

    The company I work for purchased the CA IT Asset Manager some time ago. We have been using mainly the DSM Explorer to automate remote patching process out on the local workstations. When you click "About" in the "Help" tab in the application it says:

    CA IT Client Manager
    Version: 14.0.2000.255


    We had a really experienced employee who did the administration tasks using the tool but he has left us. Before leaving he showed some basics to his team mates but the knowledge we possessed is really basic.

    Looking for my answers on support pages of Broadcom I registered my account but cannot open any ticket because I do not have any sites to access.


    I am not actually sure what it means and I have even attempted raising the Site Access Request clicking the link (see picture above) but the form requires some Site ID which is now known to me.

    Well, that was briefing... Now let's get to the point...

    During our recent Qualys scans, the server that hosts the CA ITAM showed the CVE-2020-1938 (Ghostcat) vulnerability that has quite a high risk and needs to be patched ASAP.

    Can you, please, tell me how to get rid of the CVE-2020-1938 vulnerability? Is there any patch on Broadcom page I could download and apply on the server? Should I update the ITAM version? If so, will I not cause all the running jobs fail?

    Looking for the answers I have encountered this page: Impact of Ghostcat (CVE-2020-1938) with Service Management r17.x
    Broadcom remove preview
    Impact of Ghostcat (CVE-2020-1938) with Service Management r17.x
    Release : 17.x Component : SERVICE DESK MANAGER We do not depend on AJP protocol out of the box in Service Desk Manager. Service Catalog's might be used when its made part of out of the box cluster configuration. --> AJP connector can be disabled so that the exposure of this vulnerability does not happen.
    View this on Broadcom >


    It mentions about the vulnerability and the ITAM and I have even tried out both suggested approaches but once I have modified the Tomcat config file the application fails to run.



    ------------------------------
    Mariusz
    ------------------------------


  • 2.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Broadcom Employee
    Posted May 18, 2020 12:56 AM
    Hi Mariusz,

    ITCM uses Tomcat in WebConsole, ENC and Content Import Client components.
    Which components you are using? 

    Thanks
    Sai


  • 3.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Broadcom Employee
    Posted May 18, 2020 02:49 AM

    Hello Mariusz,

    We have below components using Tomcat version as part of CA Client Automation.
    - Web Admin Console (WAC): 8.5.6
    - Extended Network Connectivity (ENC): 8.5.6
    - Content Import Client (CIC): 8.0.26

    Following versions are having impact as per the information from this link (https://www.secpod.com/blog/ghostcat-vulnerability-cve-2020-1938/)

    • Apache Tomcat 9.x < 9.0.31
    • Apache Tomcat 8.x < 8.5.51
    • Apache Tomcat 7.x < 7.0.100
    • Apache Tomcat 6.x

    As per above information, only CIC component in CA Client Automation having an impact of this vulnerability for which we are planning to upgrade Tomcat version but for now as a work around solution for remediation, you can comment the below entry in server.xml (SC\CIC\Tomcat\conf\ server.xml).


    AJP protocol related attribute is causing the vulnerability

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


    Regards,
    Praveen



    ------------------------------
    [Manager, Software Engineering]
    [CA Technologies (Broadcom Company]
    ------------------------------



  • 4.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Posted May 18, 2020 06:42 AM
    Thanks, Sai and Praveen for your prompt reply.
    In order of appearence, Sai, we use the thick client which is called the DSM Explorer in Windows' Start -> CA - that is our basic application.
    But, since not everything can be managed in that we also use the DSM Web Console. I know that also the DSM Reporter is commonly used.

    I am not a dedicated employee to manage the remote patching process so I do not know the details.

    All I know that once I modified the Tomcat config file mentioned by Praveen and described by me the other day in my first entry, the basic application - the DSM Explorer - failed to run. As I wrote I had tried out both variants of the procedure recommended to disable or password-protect the AJP protocol.

    So in my opinion the Tomcat is used by the thick DSM Explorer client for sure.


  • 5.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Broadcom Employee
    Posted May 19, 2020 12:52 AM
    Hi Mariusz,

    DSM Explorer doesn't use Tomcat. As mentioned by Praveen, Tomcat is used by WebConsole/ENC/CIC components. 
    DSM Explorer doesn't dependent on Tomcat and the failure is not related to your config changes.

    Thanks
    Sai


  • 6.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability

    Posted May 19, 2020 03:40 AM
    Sai and Praveen,
    whenever I modify the server.xml file and comment out the
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" -->
    line and attempt to run the DMS Explorer, the application fails to run.

    Once I revert the change and run the DSM Explorer followed by removing the "!" from the line it runs properly.

    So maybe the app does not use it but strongly depends on its configuration. Because one character in the config file causes the application runs properly or not. So, please, do not tell me that these two are not strongly related.


  • 7.  RE: CA Client Manager CVE-2020-1938 (Ghostcat) vulnerability
    Best Answer

    Broadcom Employee
    Posted May 20, 2020 01:18 AM
    Mariusz,

    I believe you have posted this issue in the support portal. We will look into it and update our observations in the support case. If required we will set up a call with you along with our L1 engineer. Thanks!

    Regards,
    Praveen
    Manager, Software Engineering, EPG - ITSM and Automation

    Enterprise Software Division | +91 40 66879269 (O) | +91 7032640296 (M) | praveenkumar.gudupalli@broadcom.com