BugTraq
CA20140218-01: Security Notice for CA 2E Web Option Feb 19 2014 02:32AM
Williams, James K (Ken Williams ca com)


CA20140218-01: Security Notice for CA 2E Web Option

Issued: February 18, 2014

CA Technologies Support is alerting customers to a potential risk in

CA 2E Web Option (C2WEB). A vulnerability exists that can allow an

attacker to exploit an authentication weakness and execute a session

prediction attack. The vulnerability, CVE-2014-1219, is due to a

predictable session token. An unauthenticated attacker can manipulate

a session token to gain privileged access to a valid session. CA

Technologies has issued fixes to address the vulnerability.

Risk Rating

High

Affected Platforms

IBM i

Affected Products

CA 2E Web Option r8.5

CA 2E Web Option r8.5 + PTF 1

CA 2E Web Option r8.6

CA 2E Web Option r8.6 + PTF B

Note that the vulnerable version reported by Portcullis, r8.1.2,

reached End of Service (EOS) on April 10, 2013 and is no longer

supported. Customers can find the CA 2E r8.1, r8.1 SP1 and r8.1 SP2

End of Service Announcement, dated April 10, 2012, on the CA Support

website.

Non-Affected Products

None (i.e. all supported versions of CA 2E Web Option are affected)

How to determine if the installation is affected

All supported versions of CA 2E Web Option are affected by this

vulnerability.

To determine if the fix for this vulnerability has been applied, refer

to the guidance below for each supported version.

CA 2E Web Option r8.5:

The existence of the data area YHFM55861 in PTF library YW8501254 will

indicate that this solution has been applied.

CA 2E Web Option r8.6:

The existence of the data area YHFM55865 in PTF library YW860B254 will

indicate that this solution has been applied.

Solution

CA Technologies has issued the following fixes to address the

vulnerability.

CA 2E Web Option r8.5:

RO67583

CA 2E Web Option r8.6:

RO67569

Workaround

None

References

CVE-2014-1219 - CA 2E Web Option Session Prediction Vulnerability

CA20140218-01: Security Notice for CA 2E Web Option

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Acknowledgement

CVE-2014-1219 - Portcullis

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies

Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please

report your findings to the CA Technologies Product Vulnerability

Response Team.

support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Thanks and regards,

Ken Williams

CA Technologies

Director, Product Vulnerability Response Team

Ken.Williams (at) ca (dot) com [email concealed]

Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.

11749. All other trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus