09 June 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1480 CA20150604-01: Security Notice for CA Common Services 9 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CA Common Services Publisher: CA Technologies Operating System: AIX HP-UX Linux variants Solaris Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-3318 CVE-2015-3317 CVE-2015-3316 Original Bulletin: http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20150604-01-security-notice-for-ca-common-services.aspx - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CA20150604-01: Security Notice for CA Common Services Issued: June 4, 2015 CA Technologies Support is alerting customers to multiple potential risks with products that bundle CA Common Services on Unix/Linux platforms. A local attacker may exploit these vulnerabilities to gain additional privileges.=20 The first vulnerability, CVE-2015-3316, occurs due to insecure use of an environment variable which may enable a local attacker to gain privileged access. The second vulnerability, CVE-2015-3317, occurs due to multiple instances of insufficient bounds checking which can potentially allow a local attacker to gain privileged access. The third vulnerability, CVE-2015-3318, occurs due to inadequate validation of a variable which can possibly allow a local attacker to gain privileged access. Risk Rating Medium Platform AIX, HP-UX, Linux, Solaris Affected Products CA Common Services, all versions on AIX, HP-UX, Linux, Solaris CA Technologies products that bundle this software include: CA Client Automation r12.5 SP01, r12.8, r12.9 on AIX, HP-UX, Linux, Solaris CA Network and Systems Management r11.0, r11.1, r11.2 on AIX, HP-UX, Linux, Solaris CA NSM Job Management Option r11.0, r11.1, r11.2 on AIX, HP-UX, Linux, Solaris CA Universal Job Management Agent on AIX, HP-UX, Linux, Solaris CA Virtual Assurance for Infrastructure Managers (SystemEDGE) 12.6, 12.7, 12.8, 12.9 on AIX, HP-UX, Linux, Solaris CA Workload Automation AE r11.3.6, r11.3.5, r11.3, r11 on AIX, HP-UX, Linux, Solaris How to determine if the installation is affected CA Client Automation, CA Network and Systems Management, CA NSM Job Management Option, CA Universal Job Management Agent, CA Workload Automation AE: Customers can use the applyptf program to determine if the patch from the solution section is present. CA Virtual Assurance for Infrastructure Managers (SystemEDGE): Customers should review the solution section. Solution CA Client Automation: Linux RO80741, AIX RO80722, HP-UX RO80734, Sun SPARC RO80736, Sun Intel RO80739 CA Network and Systems Management: Linux RO80380, AIX RO80381, HP-UX RO80382, Sun SPARC RO80383, Sun Intel RO80384 CA NSM Job Management Option: Linux RO80380, AIX RO80381, HP-UX RO80382, Sun SPARC RO80383, Sun Intel RO80384 CA Universal Job Management Agent: Linux RO80919, AIX RO80920, HP RO80921, Sun SPARC RO80923, Sun Intel RO80922 CA Virtual Assurance for Infrastructure Managers (SystemEDGE): CA Virtual Assurance for Infrastructure Managers (SystemEDGE) does not require CA Common Services. If no other CA product from this security notice is present on the server, customers may remove the read, write, and execute permissions from the casrvc and libcaconfigutils.so binaries. Customers may contact support for further guidance. CA Workload Automation AE: Linux RO81050, AIX RO81051, HP-UX RO81052, Sun SPARC RO81053, Sun Intel RO81054 References CVE-2015-3316 - CA Common Services environment variable CVE-2015-3317 - CA Common Services multiple buffer overflows CVE-2015-3318 - CA Common Services variable validation Acknowledgement Francois Goichon, Context IS Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at email@example.com Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2015 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. - -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBVXCoxZI1FvIeMomJAQEcNAgAgKsfQhQP7v1dZ6jmpIkHklC1fjcGIQjk 32kfT7KB4VMPJGlLM0eml711syNcmNMkbkPWuBL+qMmpNGlZW7UT91TLjhhGDOwd 2UAFnDHQSYdguEaXVndc6z3zRyz8tm+EtP22xx9h5jg1xp/jAdviajoyei6DMAKX oQjH/djCmIVFCvWV8qqan/i+yGnWLBJ7fgwONpVRz4bcdosXd4+/wqctNrTNzKmD qeDxhWfltRIDv5zVvrYaP3++ZQJRUIT2Pd06y5eKr6hUgSsVdZA9iLiWEcm/ZCdH KwvfarjwZS0E28iXXyQtwWhoBLP4UflIITDYE06VfisSccFrB9wD2Q=3D=3D =3D+zoS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVXY72xLndAQH1ShLAQJizA/9Ga1aMcHiZ5fkpv0YK5XUq0FXy7sRYIcz S1/IZAjDhfH4iH0bCPK3nAVHi0yFaAhV3xhC6BKUZM8OOyHMe+lgt24O/oNZVtAz 5rqBt0cZn/k56Xswo1Pvo2qhsZBRnaMOoGaLa7FWR2mKoZgw5OjVgzMZ+Y5Wm0OA XqSXmvmeBtWR1wH5bXSVH7Avz3TOIWZz51U2hY7N6B5QoNR7JfAplrvlAapSRj8E 1ja3ACSOVX18IcpssDhnd6MF2C40SoD5BSiJKCc472ezpv8Pdzhf8umJwfwgHLeW ev3YgnrCQsjtlwxo/S33Y2SbwL3rL0Nk5oTxjZroVWvkwiaFVOHXc0SLteOZm1Re QRFUjHkT/mMfkz73142V2JWk74LT2J43+7cWG8EgbvlozF8BwzOSctYP4UKPtQme AS2pR6Qt2s8cEREUaUMSAFFFxv+msNr4D0ou3/iNxXpjIrYWUMPlBaK2G7jEJWrL +dmWBeEm7ycrEso7qwj6Yib+8DC+6hImuuBKSEea+vmXDRkXgTdVFfs8ZT2nSW5z 6JdpEb0lrA++Syr9ShAQhuxdTNI9YJ/JKbLc6JxqOVgdO29EWN9UZWDtp/VYOeMZ xAPKQCcZzDV3guKbaj0bSU1j64sydtEEY4zlbZrjIiYd4FVlbg7UHRK+7ZyS0ndu l8GbqD9Gc/c= =A0O0 -----END PGP SIGNATURE-----