| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKTj95VYnT+k_Nq+PhT1L38qQXSDRbmst4PzowakF354qYwCyQ@mail.gmail.com> Date: Thu, 3 Feb 2022 13:57:49 -0600 From: Ken Williams via Fulldisclosure <fulldisclosure@...lists.org> To: fulldisclosure@...lists.org Subject: [FD] CA20220203-01: Security Notice for CA Harvest Software Change Manager -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20220203-01: Security Notice for CA Harvest Software Change Manager Issued: February 3rd, 2022 CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions. The vulnerability, CVE-2022-22689, occurs due to insufficient input validation. A privileged user can potentially execute arbitrary code or commands. Risk Rating CVE-2022-22689 - High Platform(s) Microsoft Windows, Linux, Linux s390x, Apple MacOS Affected Products CA Harvest Software Change Manager 13.0.3 CA Harvest Software Change Manager 13.0.4 CA Harvest Software Change Manager 14.0.0 CA Harvest Software Change Manager 14.0.1 Note: older, unsupported versions may be affected How to determine if the installation is affected For Harvest Workbench, check for "CA Harvest Software Change Manager Workbench" release number. - From Harvest workbench, Click on About > CA Harvest Software Change Manager Workbench For 13.0.3 it would be 13.0.3.152 For 13.0.4 it would be 13.0.4.254 For 14.0.0 it would be 14.0.0.369 For 14.0.1 it would be 14.0.0.369 For Eclipse, check for "CA Harvest SCM Team Provider" feature version. - From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or 13.0.4.254c For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a Solution CA Technologies published the following solutions to address the vulnerabilities: Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or 14.0.1. Fixes are available at https://support.broadcom.com/ 13.0.3 APAR 99111332 13.0.4 APAR 99111333 14.0.0 APAR 99111334 14.0.1 APAR 99111356 How to determine if the fix is applied For Harvest Workbench, check for "CA Harvest SCM Workbench" feature name. - From Harvest Workbench, Click on About > CA Harvest Software Change Manager Workbench > Installation Details > Features Feature name would be "CA Harvest SCM Workbench-Efix-V0001" For Eclipse, check for "CA Harvest SCM Team Provider" feature version. - From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features For 13.0.3 it would be 13.0.3.152b For 13.0.4 it would be 13.0.4.254d For 14.0.0 it would be 14.0.0.369b For 14.0.1 it would be 14.0.2.16 References CVE-2022-22689 - CA Harvest Software Change Manager CSV injection vulnerability Acknowledgement CVE-2022-22689 - Merten Nagel of usd AG Change History Version 1.0: 2022-02-03 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team at ca.psirt <AT> broadcom.com Security Notices, PGP key, disclosure policy, and related guidance can be found at: https://techdocs.broadcom.com/ca-psirt Regards, Ken Williams Vulnerability and Incident Response, Broadcom and CA PSIRT https://techdocs.broadcom.com/ca-psirt https://www.broadcom.com/support/resources/product-security-center ken.williams<AT>broadcom.com | ca.psirt<AT>broadcom.com | psirt<AT>broadcom.com | Broadcom | broadcom.com Copyright (c) 2022 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBYfwyskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74 NfFlXQY5b+Azl8h1z0mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb HDgfqhpSLwlGgfhDq93H185+1JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr UK6h03PZWriexDqhNPszSG8+XHVxDBsMVxvIoV7REM83PV9QbBC2Y2506s2NcOsr zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGCvXNZXvF6v/gmbKwUoj1fLVxr+ B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+mybvr8D1Betjxjqp8fQuN n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i1b+qlfEMp6v WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV+DE4 quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbs PQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf om/NSIkMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky 9tdZUcfmjEE= =+rbw -----END PGP SIGNATURE----- -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists