lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 Dec 2019 07:39:35 -0600
From: Ken Williams via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] CA20191210-01: Security Notice for CA Automic Sysload

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20191210-01: Security Notice for CA Automic Sysload

Issued: December 10th, 2019
Last Updated: December 10th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Automic Sysload in the File Server component. A
vulnerability exists that can allow a remote attacker to execute
arbitrary commands. CA published solutions to address the
vulnerability and recommends that all affected customers implement
this solution.

The vulnerability, CVE-2019-19518, occurs due to a lack of
authentication on the File Server port. A remote attacker may execute
arbitrary commands.


Risk Rating

High


Platform(s)

All supported platforms


Affected Products

CA Automic Sysload 5.6.0, 5.8.0, 5.8.1, 6.0.0, 6.0.1, 6.1.2


How to determine if the installation is affected

A customer is affected by vulnerability if the module Sysload File
Server is installed in the following versions:
5.60 (build lower than 60.13)
5.80
6.00 (build lower than 65.6)


Solution

CA Technologies published the following solutions to address the
vulnerability:

5.6.0 HF1
5.6.0 HF2
5.8.0 HF1
5.8.1 HF1
6.0.0 HF1
6.0.1 HF1
6.1.2 HF1
Those hotfixes include the module Sysload File Server in the
following versions ('readme' file):
5.60 build 60.13 (OS/400)
6.00 build 65.8 (Unix, Windows)

All of the hotfixes are available for download at Sysload downloads.


References

CVE-2019-19518 - CA Automic Sysload


Acknowledgement

CVE-2019-19518 - Raphaël Rigo from the Airbus Security Lab


Change History

Version 1.0: 2019-12-10 - Initial Release


CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at https://casupport.broadcom.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT> broadcom.com

Security Notices, PGP key, disclosure policy, and related guidance can
be found at https://techdocs.broadcom.com/ca-psirt


Regards,
Ken Williams
Vulnerability and Incident Response, CA PSIRT
https://techdocs.broadcom.com/ca-psirt
Broadcom | broadcom.com | Kansas City, Missouri, USA
ken.williams <AT> broadcom.com | ca.psirt <AT> broadcom.com


Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective
companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsBVAwUBXfDwDLZ6yOO9o8STAQiXVAf8DSLtflogd+hHtRQRr3mJUZ7FUxJhrkI7
X1V99aL0XX83rVLf/UXNf0wM9WjEJAZTB1KXTzhI9jJQtVXLJiDnxLbEmxhDAuIJ
DNXcOssbiFRWqZShh8H0/EBr9H8xcW+rwhDoHLaaJK/sRyy/LB305/6x4SmyzASc
+K2uTaPg8A7IwH5kosjZorHmuHHbB/S7Y/GuZ7Wz+RFHYHtTnb+1h7VLMCnaxMgb
ur+6oP5LVuCRROJ1kGgiS+ryrdMZuy8XCsZ1LbhoA0yOOcftGUd1gnD3jTCH2YFM
Q23cLNuucwP46x/PLRDRA3b2dEYi6cHPyPe7Y+k60wSV8kr1nX2u2Q==
=VWEC
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists