lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 3 Apr 2014 20:22:08 +0000
From: "Kotas, Kevin J" <Kevin.Kotas@...com>
To: "'bugtraq@...urityfocus.com' \(bugtraq@...urityfocus.com\)" <bugtraq@...urityfocus.com>
Subject: CA20140403-01: Security Notice for CA Erwin Web Portal

-----BEGIN PGP SIGNED MESSAGE-----

CA20140403-01: Security Notice for CA Erwin Web Portal

Issued: April 03, 2014

CA Technologies Support is alerting customers to multiple
vulnerabilities with CA Erwin Web Portal.

The vulnerabilities, CVE-2014-2210, occur due to insufficient path
verification. A remote unauthenticated attacker can use directory
traversal attacks to gain sensitive information, cause a denial of
service condition, gain additional access, or potentially execute
arbitrary code.

Risk Rating

High

Platform

Windows

Affected Products

CA ERwin Web Portal Version 9.5

How to determine if the installation is affected

1. View the About page
2. Find the Build Date
3. The Build Date should be equal to or greater than March 20, 2014
otherwise the installation is vulnerable.

Solution

CA ERwin Web Portal Version 9.5:
MIMM-win32-721-20140320.exe

References

CVE-2014-2210 - Erwin Web Portal directory traversal

CA20140403-01: Security Notice for CA Erwin Web Portal
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Acknowledgement

Andrea Micalizzi aka rgod working with HP's Zero Day Initiative

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@...com

Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Security Response Blog
http://blogs.ca.com/securityresponse/

Regards,

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team

Copyright (c) 2014 CA. All Rights Reserved. One CA Plaza, Islandia,
N.Y. 11749. All other trademarks, trade names, service marks, and
logos referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsBVAwUBUz3BlJI1FvIeMomJAQFGFwgAg9xsObnZ5tS2DEf8XpJOogmfNlzSLBq0
8R1cFgc4SkmA8/ls0sMkFqBCTeg655nIx9AEUmzhiTN3TKOs3W7NE2+AEYUZEale
WSb4WkwTATtnBwvbyKhVgFfYTw0pB0ItOqDxWZzOo4ND6bsikqcog54GAlhCx+0X
Iv2Z/JEBF3s68mWT8WrrkPZujO91I0vXpZsx1Gd/31smoIRw+WkryD/TRbo83cXo
L5TtB25A6FTjNqR0m1hUznJjgxyPVqsx3fwdoWz+e5iG7ZQmCoHwW4ClQ9qNeaAj
5cgqWdlB5lRSkqczz8nPkEsjs1dHq44Qv+Api+hgOWQ8cvo1xQwetA==
=reTg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ