lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 Dec 2019 07:39:35 -0600
From: Ken Williams via Fulldisclosure <>
Subject: [FD] CA20191210-01: Security Notice for CA Automic Sysload

Hash: SHA256

CA20191210-01: Security Notice for CA Automic Sysload

Issued: December 10th, 2019
Last Updated: December 10th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Automic Sysload in the File Server component. A
vulnerability exists that can allow a remote attacker to execute
arbitrary commands. CA published solutions to address the
vulnerability and recommends that all affected customers implement
this solution.

The vulnerability, CVE-2019-19518, occurs due to a lack of
authentication on the File Server port. A remote attacker may execute
arbitrary commands.

Risk Rating



All supported platforms

Affected Products

CA Automic Sysload 5.6.0, 5.8.0, 5.8.1, 6.0.0, 6.0.1, 6.1.2

How to determine if the installation is affected

A customer is affected by vulnerability if the module Sysload File
Server is installed in the following versions:
5.60 (build lower than 60.13)
6.00 (build lower than 65.6)


CA Technologies published the following solutions to address the

5.6.0 HF1
5.6.0 HF2
5.8.0 HF1
5.8.1 HF1
6.0.0 HF1
6.0.1 HF1
6.1.2 HF1
Those hotfixes include the module Sysload File Server in the
following versions ('readme' file):
5.60 build 60.13 (OS/400)
6.00 build 65.8 (Unix, Windows)

All of the hotfixes are available for download at Sysload downloads.


CVE-2019-19518 - CA Automic Sysload


CVE-2019-19518 - Raphaël Rigo from the Airbus Security Lab

Change History

Version 1.0: 2019-12-10 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT>

Security Notices, PGP key, disclosure policy, and related guidance can
be found at

Ken Williams
Vulnerability and Incident Response, CA PSIRT
Broadcom | | Kansas City, Missouri, USA
ken.williams <AT> | ca.psirt <AT>

Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective

Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists