Home page logo
/

bugtraq logo Bugtraq mailing list archives

CA20121001-01: Security Notice for CA License
From: "Williams, James K" <James.Williams () ca com>
Date: Mon, 1 Oct 2012 20:00:12 +0000



CA20121001-01: Security Notice for CA License

Issued: October 01, 2012


CA Technologies Support is alerting customers to two potential risks in CA 
License (also known as CA Licensing).  Vulnerabilities exist that can 
allow a local attacker to execute arbitrary commands or gain elevated 
access.  CA Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-0691, occurs due to insecure use of 
system commands.  An unprivileged user can exploit this vulnerability to 
execute commands with system or administrator privileges.

The second vulnerability, CVE-2012-0692, occurs due to inadequate user 
validation.  An unprivileged user can exploit this vulnerability to create 
or modify arbitrary files and gain elevated access.


Risk Rating

High


Affected Platforms

AIX 5.x
DEC
HP-UX
Linux
Mac OS X
Solaris
Windows


Affected Products

CA Aion Business Rules Expert r11.0
CA ARCserve Backup r12.5, r15, r16
CA ARCserve Central Protection Manager r16
CA ARCserve Central Reporting r16
CA ARCserve D2D r15, r16, r16 On Demand
CA ARCserve Central Host Based VM Backup  (formerly CA ARCserve Host Based 
   VM Backup) r16
CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual 
   Conversion Manager) r16
CA Automation Point r11.2, r11.3
CA Client Automation (formerly CA Desktop and Server Management) r12.0, 
   r12.0 SP1, r12.5
CA Common Services (CCS) r11.2 SP2
CA ControlMinder (formerly CA Access Control) 12.5, 12.6
CA ControlMinder for Virtual Environments (formerly CA Access Control for 
   Virtual Environments) 2.0
CA Database Management r11.3, r11.4, r11.5
CA Directory 8.1
CA Easytrieve for Windows and UNIX 11.0, 11.1
CA Easytrieve for Linux PC 11.6
CA Erwin Data Modeler r7.x
CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5
CA Gen r8
CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier
CA Insight Database Performance Manager 11.3, 11.4, 11.5
CA IT Asset Manager (ITAM) r12.6 and earlier
CA IT Client Manager r12.0, r12.0 SP1, r12.5
CA IT Inventory Manager r12.0, r12.0 SP1, r12.5
CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2
CA Output Management Web Viewer 11.5
CA Plex r6, r6.1
CA Repository for Distributed Systems r2.3
CA Service Accounting r12.5, r12.6
CA Service Catalog r12.5, r12.6
CA Service Desk Manager r12.1, r12.5, r12.6
CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier
CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3
CA Software Compliance Manager r12.0, r12.6
CA Storage Resource Manager (SRM) 11.8, 12.6
CA TSreorg for Distributed Databases 11.3, 11.4, 11.5
CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6
CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3
CA Workload Automation DE r11.3
CA XCOM Data Transport Gateway PC Linux r11.5
CA XCOM Data Transport Gateway Windows r11.5
CA XCOM Data Transport for PC Linux r11.5
CA XCOM Data Transport for Windows r11.5
CA XCOM Data Transport Management Center for PC Linux r11.5
CA XCOM Data Transport Management Center for Windows r11.5


Affected Components

CA License 1.90.02 and earlier


Non-Affected Products

CA ControlMinder (formerly CA Access Control) 12.6 SP1        
CA Client Automation 12.5 SP1
CA Directory r12.0 SP1 or later
CA Gen r8.5
CA IdentityMinder (formerly CA Identity Manager) r12.5
CA IT Client Manager r12.5.SP1
CA IT Inventory Manager r12.5.SP1
CA Plex r7.0
CA Service Accounting r12.7
CA Service Catalog r12.7
CA Service Desk Manager r12.7
CA Single Sign-On (SSO) r12.1 CR5
CA Storage Resource Manager (SRM) 12.6 SP1
CA Workload Automation DE r11.1 (does not use CA License)


Non-Affected Components

CA License 1.90.03 or later


How to determine if the installation is affected

All versions of CA License before 1.90.03 are vulnerable.

The installed version of CA License can be obtained by using the 
“lic98version” program.  Lic98version retrieves the version of CA License 
installed on a machine along with the version of specific individual files.
The version information is written to the lic98version.log file located in 
the CA License installation location, and is also displayed on the console. 


Solution

CA has issued patches to address the vulnerability.


For all CA product installations on Linux, please note these Linux-specific 
instructions:

1.      First, make backups of the ca.olf file and the lic98.dat file.
2.      Uninstall the existing/old version of CA License.
3.      Perform the installation of CA License 1.90.04.
4.      Confirm the successful installation of 1.9.04, and then replace the 
        existing ca.olf file and lic98.dat file with the files you backed 
        up in step 1.

If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/ 


CA Aion Business Rules Expert r11.0:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ALP License Update for Windows:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={2B524FD2-9275-4820-997F-E9C0BC0DE768}

CA ARCserve products:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Automation Point r11.2:
Install SP5 when available.

CA Automation Point r11.3:
Install SP2, which uses CA License v1.90.04.

CA Client Automation r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later 
for Windows and Linux platforms, or v1.90.03 or later for all other 
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Common Services (CCS) r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder (formerly known as CA Access Control) 12.5, 12.6:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder for Virtual Environments 2.0 (formerly known as ACVE):
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Database Management r11.3, r11.4, r11.5:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Directory 8.1:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.0, 11.1:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.6 for Linux PC:
Download and install CA License v1.90.04 or later:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Erwin Data Modeler r7.x:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Gen r8:
Upgrade to CA Gen r8.5, or download and install CA License v1.90.04 or 
later for Windows and Linux platforms, or v1.90.03 or later for all other 
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IdentityMinder (formerly known as CA Identity Manager) r12 CR16 and 
earlier:
Upgrade to r12.5, or download and install CA License v1.90.04 or later for 
Windows and Linux platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Insight Database Performance Manager 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Asset Manager (ITAM) r12.6 and earlier:
Apply RI40652 for UAPM 11.3.4
Apply RI40653 for APM 12.6
Apply RI40654 for CASWCM 12.6
Apply RI40655 for CASWCM 12.0

CA IT Client Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later 
for Windows and Linux platforms, or v1.90.03 or later for all other 
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Inventory Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later 
for Windows and Linux platforms, or v1.90.03 or later for all other 
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Output Management Web Viewer 11.5:
Apply RI36100

CA Plex r6.1:
Upgrade to CA Plex r7.0

CA Repository for Distributed Systems r2.3:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Service Accounting r12.5:
Apply RO40603 (PIB RI40667)

CA Service Accounting r12.6:
Apply RO40613 (PIB RI40669)

CA Service Catalog r12.5:
Apply RO40603 (PIB RI40667)

CA Service Catalog r12.6:
Apply RO40613 (PIB RI40669)

CA Service Desk Manager r12.1, r12.5, r12.6:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier: 
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms: 
(Note that you will need to stop all SSO server services (including Access 
Control and Directory) before upgrading the License component.)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Compliance Manager r12.0:
Apply RI40655

CA Software Compliance Manager r12.6:
Apply RI40654

CA SRM 11.8:
Apply RI35825 (CA License Vulnerability Fix)

CA SRM 12.6:
Apply RI35823 (CA License Vulnerability Fix)

CA TSreorg for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Unicenter Asset Portfolio Management r11.3, r11.3.4:
Apply RI40652

CA Unicenter Asset Portfolio Management r12.6:
Apply RI40653

CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA Workload Automation DE r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347B7-543B-4345-B8FB-E840A0B72BFF}

CA XCOM Data Transport Gateway PC Linux r11.5:
Apply RI36093

CA XCOM Data Transport Gateway Windows r11.5:
Apply RI36094

CA XCOM Data Transport for PC Linux r11.5:
Apply RI36091

CA XCOM Data Transport for Windows 11.5:
Apply RI36090

CA XCOM Data Transport Management Center for PC Linux 11.5:
Apply RI38961

CA XCOM Data Transport Management Center for Windows 11.5:
Apply RI38984


Workaround

None


References

CVE-2012-0691 – CA License system command usage
CVE-2012-0692 – CA License user validation weakness


Acknowledgement

CVE-2012-0691 – Raphael Rigo, ANSSI (French Network and Information 
                Security Agency)
CVE-2012-0692 – Raphael Rigo, ANSSI (French Network and Information 
                Security Agency)


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report 
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22 () ca com


Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.

  By Date           By Thread  

Current thread:
  • CA20121001-01: Security Notice for CA License Williams, James K (Oct 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault