lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Dec 2021 13:15:38 -0600
From: Ken Williams via Fulldisclosure <>
Subject: [FD] CA20211201-01: Security Notice for CA Network Flow Analysis

Hash: SHA256

CA20211201-01: Security Notice for CA Network Flow Analysis

Issued: December 1st, 2021

CA Technologies, A Broadcom Company, is alerting customers to a
vulnerability in CA Network Flow Analysis (NFA). A vulnerability
exists that can allow an authenticated user to perform SQL injection
attacks and access sensitive data. CA published solutions to address
this vulnerability and recommends that all affected customers
implement these solutions.

The vulnerability, CVE-2021-44050, occurs due to insufficient input
validation.  An authenticated user can potentially access sensitive

Risk Rating

CVE-2021-44050 - Medium


Microsoft Windows Server 2012 R2, 2016, 2019

Affected Products

CA Network Flow Analysis 9.3.8
CA Network Flow Analysis 9.5
CA Network Flow Analysis 10.0
CA Network Flow Analysis 10.0.2
CA Network Flow Analysis 10.0.3
CA Network Flow Analysis 10.0.4
CA Network Flow Analysis 10.0.5
CA Network Flow Analysis 10.0.6
CA Network Flow Analysis 10.0.7
CA Network Flow Analysis 21.2.1
Note: older, unsupported versions may be affected

Non-Affected Products

CA Network Flow Analysis 21.2.2 and above

How to determine if the installation is affected

Check the Version Information in the NFA Console
(Administration -> About).


CA Technologies published the following solutions to address the

Upgrade to 21.2.2 or above.

Alternatively, apply the appropriate fix provided for 10.0.2, 10.0.3,
10.0.4, 10.0.5, 10.0.6, 10.0.7, and/or 21.2.1.

Fixes are available at:

Note that End of Service has already been announced for NFA 9.3.8,
9.5, and 10.0.  Contact Broadcom Support if you are unable to upgrade
to a non-vulnerable version, or to a version with an available fix.


CVE-2021-44050 - CA NFA SQL injection vulnerability


CVE-2021-44050 - Anthony Ferrillo, NCC Group

Change History

Version 1.0: 2021-12-01 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT>

Security Notices, PGP key, disclosure policy, and related guidance can
be found at:

Ken Williams
Vulnerability and Incident Response, Broadcom and CA PSIRT
ken.williams<AT> | ca.psirt<AT> |
Broadcom |

Copyright (c) 2021 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective

Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8


This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists