lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 3 Feb 2022 13:57:49 -0600
From: Ken Williams via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] CA20220203-01: Security Notice for CA Harvest Software Change
	Manager

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20220203-01: Security Notice for CA Harvest Software Change Manager

Issued: February 3rd, 2022

CA Technologies, A Broadcom Company, is alerting customers to a
vulnerability in CA Harvest Software Change Manager. A vulnerability
exists that can allow a privileged user to perform CSV injection
attacks and potentially execute arbitrary code or commands. Note that
this vulnerability is specific to the Harvest Workbench and Eclipse
Plugin interfaces. CA published solutions to address this
vulnerability and recommends that all affected customers implement
these solutions.

The vulnerability, CVE-2022-22689, occurs due to insufficient input
validation.  A privileged user can potentially execute arbitrary code
or commands.


Risk Rating

CVE-2022-22689 - High


Platform(s)

Microsoft Windows, Linux, Linux s390x, Apple MacOS


Affected Products

CA Harvest Software Change Manager 13.0.3
CA Harvest Software Change Manager 13.0.4
CA Harvest Software Change Manager 14.0.0
CA Harvest Software Change Manager 14.0.1
Note: older, unsupported versions may be affected


How to determine if the installation is affected

For Harvest Workbench, check for "CA Harvest Software Change Manager
Workbench" release number.

- From Harvest workbench, Click on About > CA Harvest Software
Change Manager Workbench
For 13.0.3 it would be 13.0.3.152
For 13.0.4 it would be 13.0.4.254
For 14.0.0 it would be 14.0.0.369
For 14.0.1 it would be 14.0.0.369

For Eclipse, check for "CA Harvest SCM Team Provider" feature
version.

- From Eclipse, Click on About > About Eclipse IDE >
Installation Details > Features
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a
For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or
13.0.4.254c
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a
For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a


Solution

CA Technologies published the following solutions to address the
vulnerabilities:

Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or
14.0.1.

Fixes are available at https://support.broadcom.com/
13.0.3 APAR 99111332
13.0.4 APAR 99111333
14.0.0 APAR 99111334
14.0.1 APAR 99111356


How to determine if the fix is applied

For Harvest Workbench, check for "CA Harvest SCM Workbench" feature
name.

- From Harvest Workbench, Click on About > CA Harvest Software
Change Manager Workbench > Installation Details > Features

Feature name would be "CA Harvest SCM Workbench-Efix-V0001"

For Eclipse, check for "CA Harvest SCM Team Provider" feature version.

- From Eclipse, Click on About > About Eclipse IDE >
Installation Details > Features
For 13.0.3 it would be 13.0.3.152b
For 13.0.4 it would be 13.0.4.254d
For 14.0.0 it would be 14.0.0.369b
For 14.0.1 it would be 14.0.2.16


References

CVE-2022-22689 - CA Harvest Software Change Manager CSV injection
vulnerability


Acknowledgement

CVE-2022-22689 - Merten Nagel of usd AG


Change History

Version 1.0: 2022-02-03 - Initial Release


CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at https://support.broadcom.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT> broadcom.com

Security Notices, PGP key, disclosure policy, and related guidance can
be found at: https://techdocs.broadcom.com/ca-psirt


Regards,
Ken Williams
Vulnerability and Incident Response, Broadcom and CA PSIRT
https://techdocs.broadcom.com/ca-psirt
https://www.broadcom.com/support/resources/product-security-center
ken.williams<AT>broadcom.com | ca.psirt<AT>broadcom.com |
psirt<AT>broadcom.com | Broadcom | broadcom.com

Copyright (c) 2022 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective
companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBYfwyskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74
NfFlXQY5b+Azl8h1z0mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb
HDgfqhpSLwlGgfhDq93H185+1JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr
UK6h03PZWriexDqhNPszSG8+XHVxDBsMVxvIoV7REM83PV9QbBC2Y2506s2NcOsr
zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGCvXNZXvF6v/gmbKwUoj1fLVxr+
B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+mybvr8D1Betjxjqp8fQuN
n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i1b+qlfEMp6v
WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV+DE4
quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbs
PQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf
om/NSIkMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky
9tdZUcfmjEE=
=+rbw
-----END PGP SIGNATURE-----

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists