| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKTj95UnwXewAb=SYB6vKBqq_+y34yYP4m2_kew2gztUfftyxA@mail.gmail.com> Date: Thu, 24 Jan 2019 19:24:46 -0600 From: James Williams via Fulldisclosure <fulldisclosure@...lists.org> To: fulldisclosure@...lists.org Subject: [FD] CA20190124-01: Security Notice for CA Automic Workload Automation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20190124-01: Security Notice for CA Automic Workload Automation Issued: January 24, 2019 Last Updated: January 24, 2019 CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. The vulnerability, CVE-2019-6504, has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. Risk Rating Medium Platform(s) All supported platforms Affected Products CA Automic Workload Automation 12.0 CA Automic Workload Automation 12.1 CA Automic Workload Automation 12.2 Unaffected Products CA Automic Workload Automation 12.0 with Automic.Web.Interface 12.0.6 HF2 CA Automic Workload Automation 12.1 with Automic.Web.Interface 12.1.3 HF3 CA Automic Workload Automation 12.2 with Automic.Web.Interface 12.2.1 HF1 How to determine if the installation is affected The version number is visible in the About section of AWI. Check the About window after login to AWI to determine the current installed version. Solution CA Technologies published the following solutions to address the vulnerabilities. CA Automic Workload Automation 12.0: Apply Automic.Web.Interface 12.0.6 HF2 CA Automic Workload Automation 12.1: Apply Automic.Web.Interface 12.1.3 HF3 CA Automic Workload Automation 12.2: Apply Automic.Web.Interface 12.2.1 HF1 The fixes can be found at https://downloads.automic.com/ References CVE-2019-6504 - CA Automic Workload Automation Persistent XSS vulnerability Acknowledgement CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab Change History Version 1.0: 2019-01-24 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Ken Williams Vulnerability Response Director, Enterprise Software R&D CA Technologies, A Broadcom Company | ca.com | broadcom.com Copyright (c) 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBXEpaSblJjor7ahBNAQh8eBAAjEuXp96eWVTv+bmSGBUi8qE/ql0m366n ApEqok1M0uNiwAte+MpZCfe1QBXzEMlxI3rRzwoU/2AgN6td1Ot2onF3ZSu41xZZ T5Vl8YUgD+H+1aG+lPb2PtqGAkKiiq9/0v7Usa3j2Q0hFcOuzFizUrFwL0zisQqQ 3Yqxe0Z524bxsYOoq3tM6u40hJepA/xrRVehLDXZBEUPoebZ3GjRSgAtcrm1umlQ i4i35xXJ5bO4un0AdBITl9pbYFRsWsT/UmC3SWuqrRNEfPifig0+N0mQFr3HYss8 7P/t9unyX45K8lK8x88zZVLoEpN4hZSi5ClH3KP7ZaSmWlgQXLP7Llw/DAy8oOPc xl8QPkhgNusrBgvUb2LtOoIzD89V+bz2tHYpJ0jpYjXRAjTvfmWCpq96+Kv9qj2/ CGjUHSxrLOvKhg+p3UHerAFYpIa0R4qajoN6D/w69fqaD+8Yzq82oK73M9dcXjPG oiT5V+nC9eWufjpugrJL3ZfaXGz9guLzKrI1IToKNj9iv35umVkSNil3zE5N7nuz UQtqxEBjD/P54KM8fULbtl+4MbWUB7eDq4jeCvD8Ipe3smJ32VfDzMhco4IYxxVS yQt7+lMzNYi/yYazREJzdNbsRw8oCtYJUeYeZtGw1QeUK84TP3dobwqZHte+MonN nJwOOIH2Kpg= =90ur -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists