[<prev] [next>] [day] [month] [year] [list]
Message-ID: <649CDCB56C88AA458EFF2CBF494B62040B968963@USILMS12.ca.com>
Date: Wed, 20 Apr 2011 22:12:57 -0400
From: "Williams, James K" <James.Williams@...com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: CA20110420-02: Security Notice for CA Output
Management Web Viewer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CA20110420-02: Security Notice for CA Output Management Web Viewer
Issued: April 20, 2011
CA Technologies support is alerting customers to security risks
associated with CA Output Management Web Viewer. Two vulnerabilities
exist that can allow a remote attacker to execute arbitrary code. CA
Technologies has issued patches to address the vulnerabilities.
The vulnerabilities, CVE-2011-1719, are due to boundary errors in the
UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote
attacker can create a specially crafted web page to exploit the flaws
and potentially execute arbitrary code.
Risk Rating
High
Platform
Windows
Affected Products
CA Output Management Web Viewer 11.0
CA Output Management Web Viewer 11.5
How to determine if the installation is affected
If the end-user controls are at a version that is less than the
versions listed below, the installation is vulnerable.
File Name Version
UOMWV_HelperActiveX.ocx 11.5.0.1
PPSView.ocx 1.0.0.7
Solution
CA has issued the following patches to address the vulnerability.
CA Output Management Web Viewer 11.0:
Apply the RO29119 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).
CA Output Management Web Viewer 11.5:
Apply the RO29120 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).
References
CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer
Overflows
Acknowledgement
Dmitriy Pletnev, Secunia Research
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilja22@...com
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj4DBQFNr5KCeSWR3+KUGYURAseNAKCUFddGhEHrb3JBUABbqWWvGgvZTQCY9nHy
V9Eya1SCGQ8B2kt6v50jNw==
=Y75y
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists