[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAK6erokT3di7uM1r-ynAPChE2z3Kwg+Mc1pBN-spbvepdfVvqg@mail.gmail.com>
Date: Fri, 18 Jan 2019 16:17:34 -0500
From: Kevin Kotas <kevin.kotas@...adcom.com>
To: bugtraq@...urityfocus.com
Subject: CA20190117-01: Security Notice for CA Service Desk Manager
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CA20190117-01: Security Notice for CA Service Desk Manager
Issued: January 17, 2019
Last Updated: January 17, 2019
CA Technologies Support is alerting customers to multiple potential
risks with CA Service Desk Manager. Multiple vulnerabilities exist
that can allow a remote attacker to access sensitive information or
possibly gain additional privileges. CA published solutions to
address the vulnerabilities.
The first vulnerability, CVE-2018-19634, is due to how survey access
is implemented. A malicious actor can access and submit survey
information without authentication.
The second vulnerability, CVE-2018-19635, allows for a malicious
actor to gain additional privileges.
Risk Rating
High
Platform(s)
All platforms
Affected Products
CA Service Desk Manager 14.1
CA Service Desk Manager 17
How to determine if the installation is affected
CA Service Desk Manager r14.1:
Versions prior to 14.1.05.1 are vulnerable.
CA Service Desk Manager r17 Windows:
Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in
the solution section are vulnerable
CA Service Desk Manager r17 Linux:
Versions prior to 17.1.0.2 are vulnerable
Solution
CA Technologies published the following solutions to address the
vulnerabilities.
CA Service Desk Manager r14.1:
Update to CA Service Desk Manager 14.1.05.1. The rollup patches are
available on the CA Service Desk Manager 14.1 Solutions & Patches
page.
Windows - SO05733
Sun - SO05716
Linux - SO05715
CA Service Desk Manager R17 Linux:
Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions
& Patches page.
CA Service Desk Manager R17 Windows:
Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the
corresponding language patch for the Service Desk Manager
installation. All fixes are available on the CA Service Desk Manager
17.1 Solutions & Patches page.
Chinese - SO06055
English - SO06036
French - SO06051
French Canadian - SO06039
German - SO06037
Italian - SO06052
Japanese - SO06053
Portuguese - SO06054
Spanish - SO06038
References
CVE-2018-19634 - CA Service Desk Manager survey access
CVE-2018-19635 - CA Service Desk Manager privilege escalation
Acknowledgement
CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep
Change History
Version 1.0: 2019-01-17 - Initial Release
CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications.
Customers who require additional information about this notice may
contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response
Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.
-----BEGIN PGP SIGNATURE-----
Charset: utf-8
wsFVAwUBXEDDEblJjor7ahBNAQhpKw/+MdbnJY7q2pYojS3XvSOhWjdm6H41akB5
mXjsGQLhpRvLV+sS3p1+l+JK9F8x7Gi0+tJaCMILq8eGj7hIfgrm+J38XxcQIfJd
xPqXeuoeM6Fghd3AgNriecleIELjt32zCy4JpDMiiUDu1+dYpsURHBTiN2YITBMn
V11TMq8lvJua10z81OFgm+Kj95qdDfu1NKV+A+Nmtdey+6fxEEWiOBCE01EZC+M9
4cY1vLVQdY+Kkv2GN0P89rKzkWg5UCGjLSbcbnz9+STGRoT5VEcatiZFVSYtudUZ
KQSu0UIoPDOxGSn+EE+PSBgP0e3R0ke1swXN8kIghmAthCaFVyTVBRUpTpOKYg3o
AjQfiRlowBnNoeRtdZltLuWTEIY+5gpduN5pRLTgeTbwbGV9IaK2uxjNy3g4PvfG
PApvtbxxPSOwwTTMtD2jAdiSxOeEbh+vhaBX4BjaUGPysMgsBgVbARntIYySu78X
YL8tf9N04y3r+nEGP6jCgIAHU5NajAubx6FaHDS1rOnuEZ3y6+r/kOOy38dfQygk
ASdeG12cXd8/I6UFDphk9DcBhO61z9EgZ4DatfXvtBuuirkwdaavbx4UN8DX9pPX
TMKvFVhPn259nDQG95uMZSHgXAygWEr8wlPn0ef0JjszeZnAsiLnRE149zeGyG75
QD/9yo0kzx8=
=4XWm
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists