BugTraq
CA20121220-01: Security Notice for CA IdentityMinder Dec 20 2012 09:44PM
Williams, James K (James Williams ca com)


CA20121220-01: Security Notice for CA IdentityMinder

Issued: December 20, 2012

CA Technologies Support is alerting customers to two potential risks in CA

IdentityMinder (formerly known as CA Identity Manager). Two vulnerabilities

exist that can allow a remote attacker to execute arbitrary commands,

manipulate data, or gain elevated access. CA Technologies has issued

patches to address the vulnerability.

The first vulnerability, CVE-2012-6298, allows a remote attacker to execute

arbitrary commands or manipulate data.

The second vulnerability, CVE-2012-6299, allows a remote attacker to gain

elevated access.

Risk Rating

High

Affected Platforms

All

Affected Products

CA IdentityMinder r12.0 CR16 and earlier

CA IdentityMinder r12.5 SP1 thru SP14

CA IdentityMinder r12.6 GA

Non-Affected Products

None (i.e. all supported versions of CA IdentityMinder are vulnerable)

How to determine if the installation is affected

All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA

are vulnerable.

You can confirm that patches have been successfully applied by checking the

dates associated with the following IdentityMinder jar files: imsapi6.jar

and ims.jar. The dates on these jars will be set to the dates on which the

patch was applied.

Solution

CA Technologies has issued the following patches to address the

vulnerabilities. Download the appropriate patch(es) and follow the

instructions in the readme.txt file. These patches can be applied to all

operating system platforms.

12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip

12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip

12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip

12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip

12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip

12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip

12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip

12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip

12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip

12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip

12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip

12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip

12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip

12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip

12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip

12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip

Workaround

None

References

CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate data

CVE-2012-6299 - CA IdentityMinder gain elevated access

CA20121220-01: Security Notice for CA IdentityMinder

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA
53B61-3A68-4506-9876-F845F6DD8A93}

Acknowledgement

CVE-2012-6298 - Discovered internally by CA Technologies

CVE-2012-6299 - Discovered internally by CA Technologies

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies

Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report

your findings to the CA Technologies Product Vulnerability Response Team.

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82

Thanks and regards,

Ken Williams, Director

CA Technologies Product Vulnerability Response Team

CA Technologies Business Unit Operations

wilja22 (at) ca (dot) com [email concealed]

Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.

11749. All other trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus