BugTraq
CA20141215-01: Security Notice for CA LISA Release Automation Dec 15 2014 11:52PM
Williams, Ken (Ken Williams ca com)


-----BEGIN PGP SIGNED MESSAGE-----

CA20141215-01: Security Notice for CA LISA Release Automation

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple

vulnerabilities in CA Release Automation (formerly CA LISA Release

Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery

(CSRF) issue related to insufficient validation. A remote attacker can

potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)

issue caused by insufficient input filtering. A remote attacker can

execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused

by insufficient input sanitization. An attacker with a non-privileged

account could utilize a specially crafted query to access privileged

information.

Risk Rating

Medium

Platform

Windows

Linux

Solaris

Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the

RA â??About Automation Studioâ? page and check the displayed version.

Patched systems will display version 4.7.1.448 or later.

Alternatively, you can also see which fixes (you can see the fix

folders) are applied by looking at the Fix_Maintenance directory.

Windows example:

C:\Program Files\CA\LISAReleaseAutomationServer\Fix_Maintenance

Linux, Solaris example:

/opt/LISAReleaseAutomationServer/Fix_Maintenance

Solution

CA Technologies has issued the following fix to address the

vulnerabilities.

CA Release Automation 4.7.1:

Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release

Automation 4.7.1

Workaround

None

References

CVE-2014-8246 â?? Release Automation cross-site request forgery (CSRF)

CVE-2014-8247 â?? Release Automation cross-site scripting (XSS)

CVE-2014-8248 â?? Release Automation SQL injection

Acknowledgement

CVE-2014-8246 â?? Lukasz Plonka, Julian Horoszkiewicz

CVE-2014-8247 â?? Julian Horoszkiewicz

CVE-2014-8248 â?? Lukasz Plonka

Change History

v1.0: 2014-12-15, Initial Release

If additional information is required, please contact CA Technologies

Support at https://support.ca.com

If you discover a vulnerability in CA Technologies products, please

report your findings to the CA Technologies Product Vulnerability

Response Team at vuln (at) ca (dot) com [email concealed]

CA Technologies Product Vulnerability Response Team PGP Key:

support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Regards,

Ken Williams

Director, Product Vulnerability Response Team

CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com

Ken.Williams (at) ca (dot) com [email concealed] | vuln (at) ca (dot) com [email concealed]

Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.

11749. All other trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----

Version: Encryption Desktop 10.3.2 (Build 15238)

Charset: utf-8

wsBVAwUBVI9y85I1FvIeMomJAQGSwgf7Box/uvBBZ5Hd2MUn7Qzk/IuWWo/CC0O2

bDQRha/yw20cLllWZodJQnZSE/tTb2St52Byj4NRvslNLpnce37tnkfwIWAIe3y7

VIMj5CaQ7YUF0mOanUfwNixamai5DTEoyKyBDpr7nSo6kUocRvnQVs/caapaMBMN

09rpAd+02stVCC/YfRLk/2a0s5Py91d/nuq7NuimkMOWl4pI2/3QZ1ldOHHvJLAp

MTvEM2ip1HNzfS8sMBuUA5SGoAwpiC/G8sf97DJcdX1PVQkgP0OiYv/EYlydFiF6

Mg94fuKyu0/kVLg51vColKmdydn2Fxbz4EUbh0mx2Z1S7MNfwPwfYQ==

=7/gt

-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus