lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 10 May 2011 19:10:08 -0400
From: "Kotas, Kevin J" <Kevin.Kotas@...com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: CA20110510-01: Security Notice for CA eHealth

-----BEGIN PGP SIGNED MESSAGE-----

CA20110510-01: Security Notice for CA eHealth

Issued: May 10, 2011

CA Technologies support is alerting customers to a security risk with
CA eHealth. A vulnerability exists that may potentially allow an
attacker to compromise web user security.

The vulnerability, CVE-2011-1899, occurs due to insufficient
validation of sent request parameters. An attacker, who can convince
a user to follow a carefully constructed link or view a malicious
web page, can conduct various cross-site scripting attacks.

Note: The "Scan user input for potentially malicious HTML content"
configuration option does not protect against this vulnerability.

Risk Rating

Medium

Platform

Windows
Unix

Affected Products

CA eHealth 6.0.x
CA eHealth 6.1.x
CA eHealth 6.2.1
CA eHealth 6.2.2

How to determine if the installation is affected

Locate the following file on the respective platform:

Platform
File path

Windows
"%NH_HOME%\extensions\local\42339.log"

Unix
"$NH_HOME/extensions/local/42339.log"

If the file is not present, the installation is vulnerable.

Solution

Customers may contact CA Technologies support to obtain a patch that
resolves this issue. Request the patch for PRD 42339 when submitting
the support ticket.

References

CVE-2011-1899 - eHealth cross-site scripting

CA20110510-01: Security Notice for CA eHealth
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5
662845D-4CD7-4CE6-8829-4F07A4C67366}

Acknowledgement

CVE-2011-1899 - Tony Fogarty

Change History

Version 1.0: Initial Release
If additional information is required, please contact CA Support at
http://support.ca.com/

If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782

Regards,

Kevin Kotas
CA Technologies Product Vulnerability Response Team

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBTcnDXJI1FvIeMomJAQG7OAf/VxiNXwFJPWZbqwhyVQRCN33g3+fPWGSe
6vNpiGMaZAZ9IBLbTRxI8B0XRsmcHclPFurc7SzH8zO37GktJ2RnJZ0MuZWGVQsD
dVspm/r3DxHtWyLbRGxV9FpRRErqG6OHuTPDZ69dbaODvD2p8DXzjKBC4w3vBtPi
h13x1sO6sUapQ40gYL8Z4bq8uDf+BP0iENI2VArSdalUwTdtWsD6dwmiDb45iHpX
a8HHNCVQ1YJFHhydNVnm0vhBOe58tOLC7K92Yyrk6Gn801UD/jCcg+dc5FoAibgo
LmasWeVzcPmR7ZGYiogG0abUlYZEG6KiQxyuvfk/0xthEYM6mt1fZw==
=SGmt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ