CA Service Desk Multiple Cross-Site Scripting Vulnerabilities Sep 26 2008 02:10AM
Williams, James K (James Williams ca com)


Title: CA Service Desk Multiple Cross-Site Scripting

Vulnerabilities

CA Advisory Date: 2008-09-24

Reported By:

Open Security Foundation

Impact: A remote attacker can conduct cross-site scripting attacks.

Summary: CA Service Desk contains multiple vulnerabilities that

can allow a remote attacker to conduct cross-site scripting

attacks. CA has issued patches to address the vulnerabilities. The

vulnerabilities, CVE-2008-4119, are due to insecure handling of

passed variables in multiple web forms. An attacker, who can

convince a user to click on a specially crafted link, can

potentially conduct cross-site scripting attacks.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Low risk rating.

Affected Products:

CA Service Desk r11.2

CA CMDB 11.0

CA CMDB 11.1

CA CMDB 11.2

Affected Platforms:

Microsoft Windows 2003 R2

Microsoft Windows 2003 SP1

Microsoft Windows 2003 SP2

Microsoft Windows 2000 Server Family with SP4 applied (32 bit only)

Red Hat Enterprise Linux 3.0 x86

Red Hat Enterprise Linux 4.0 x86

SUSE Linux Enterprise Server 9 (SLES) x86

SUSE Linux Enterprise Server 10 SP1 (SLES) x86

Sun Solaris 9 SPARC (64 bit only)

Sun Solaris 10 SPARC (64 bit only)

HP/UX 11.11 PA-RISC (64 bit only)

HP/UX 11.23 PA-RISC (64 bit only)

HP/UX 11.31 PA-RISC (64 bit only)

AIX 5.2 (64 bit only)

AIX 5.3 (64 bit only)

Status and Recommendation:

CA CMDB 11.0 and CA CMDB 11.1 users should upgrade to CA CMDB

11.2, which includes all of the fixes.

CA has issued the following cumulative fixes for CA Service Desk

r11.2 to address the vulnerabilities.

Note: If you are using a version of CA Service Desk earlier than

r11.2, you will first need to upgrade to r11.2. For users of

earlier versions, CA recommends upgrading to r11.2.

Windows:

CA Service Desk Crystal Report component:

QO99896

CA Service Desk Dashboard component:

QO99895

CA Service Desk Web Screen Painter component:

QO99894

CA Service Desk Web Server component:

QO99893

CA Service Desk Server component:

QO99892

AIX:

CA Service Desk Web Screen Painter component:

QO99905

CA Service Desk Web Server component:

QO99901

CA Service Desk Server component:

QO99897

HPUX:

CA Service Desk Web Screen Painter component:

QO99906

CA Service Desk Web Server component:

QO99902

CA Service Desk Server component:

QO99898

Linux:

CA Service Desk Web Screen Painter component:

QO99907

CA Service Desk Web Server component:

QO99903

CA Service Desk Server component:

QO99899

Solaris:

CA Service Desk Web Screen Painter component:

QO99908

CA Service Desk Web Server component:

QO99904

CA Service Desk Server component:

QO99900

How to determine if you are affected:

Check the Applyptf log to determine if the fix has been applied.

Additional information, including platform-specific instructions

and updated routine details, can be found in the appropriate

solution document.

Workaround: None

References (URLs may wrap):

CA Support:

http://support.ca.com/

Security Notice for CA Service Desk

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1865
85

Solution Document Reference APARs:

QO99896, QO99895, QO99894, QO99893, QO99892, QO99905, QO99901,

QO99897, QO99906, QO99902, QO99898, QO99907, QO99903, QO99899,

QO99908, QO99904, QO99900

CA Security Response Blog posting:

CA Service Desk Multiple Cross-Site Scripting Vulnerabilities

community.ca.com/blogs/casecurityresponseblog/archive/2008/09/25.aspx

Reported By:

Open Security Foundation

http://opensecurityfoundation.org/

CVE References:

CVE-2008-4119 â?? CA Service Desk multiple cross-site scripting

issues

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4119

OSVDB References: Pending

http://osvdb.org/

Changelog for this advisory:

v1.0 - Initial Release

v1.1 - Added CA CMDB solutions

Customers who require additional information should contact CA

Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory,

please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your

findings to our product security response team.

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82

Regards,

Ken Williams ; 0xE2941985

Director, CA Vulnerability Research

CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/

Legal Notice http://www.ca.com/us/legal/

Privacy Policy http://www.ca.com/us/privacy/

Copyright (c) 2008 CA. All rights reserved.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus