lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 17 Dec 2020 19:55:06 -0500
From: Kevin Kotas via Fulldisclosure <>
Subject: [FD] CA20201215-01: Security Notice for CA Service Catalog

Hash: SHA256

CA20201215-01: Security Notice for CA Service Catalog

Issued: December 15, 2020
Last Updated: December 15, 2020

CA Technologies, a Broadcom Company, is alerting customers to a risk
with CA Service Catalog. A vulnerability can potentially exist in a
specific configuration that can allow a remote attacker to cause a
denial of service condition. CA published a solution and instructions
to resolve the vulnerability.

The vulnerability, CVE-2020-29478, occurs due a default configuration
setting that, if not modified during installation by customers, can
allow a remote attacker to access and update configuration
information that can result in a denial of service condition.

Risk Rating

CVE-2020-29478 - High



Affected Products

CA Service Catalog 17.2
CA Service Catalog 17.3

How to determine if the installation is affected

The Setup Utility login will allow the administrator to set the
password if the administrator doesn’t set the password during


The following solutions address the vulnerability.

CA Service Catalog 17.2:
Update to Service Catalog 17.2 RU10

CA Service Catalog 17.3:
Update to Service Catalog 17.3 RU2


The steps to mitigate this risk are:

1. Customers should confirm that they set the password for the Setup
CA Enterprise Software
Business Management
CA Service Management - 17.3
Configuring CA Service Catalog

2. After setting the password, restart the Catalog service


CVE-2020-29478 - CA Service Catalog configuration access


CVE-2020-29478 - Felipe Restrepo

Change History

Version 1.0: 2020-12-15 Initial Release

CA customers may receive product alerts and advisories by
subscribing to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at ca.psirt <AT>

Security Notices, PGP key, and disclosure policy and guidance

Kevin Kotas
Principle, CA Product Security Incident Response Team

Copyright 2020 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA Technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

Charset: utf-8


This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4163 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists