Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0487 CA20190212-01: Security Notice for CA Privileged Access Manager 18 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CA Privileged Access Manager Publisher: CA Technologies Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-7392 Original Bulletin: https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190212-01--security-notice-for-ca-privileged-access-manager.html - --------------------------BEGIN INCLUDED TEXT-------------------- CA20190212-01: Security Notice for CA Privileged Access Manager Issued: February 12, 2019 Last Updated: February 12, 2019 CA Technologies Support is alerting customers to a potential risk with CA Privileged Access Manager. A vulnerability exists that can allow a remote attacker to access sensitive information or modify configuration. CA published solutions to address the vulnerabilities. CVE-2019-7392 describes a vulnerability resulting from inadequate access controls for the components jk-manager and jk-status web service allowing a remote attacker to access the CA PAM Web-UI without authentication Risk Rating High Platform(s) All platforms Affected Products CA Privileged Access Manager 3.2.1 and prior releases CA Privileged Access Manager 3.1.2 and prior releases CA Privileged Access Manager 3.0.x How to determine if the installation is affected Customers may check the version of the product to determine if they are running a vulnerable release. Solution CA Privileged Access Manager 3.2.1 and prior releases: Update to CA Privileged Access Manager 3.2.2 or later CA Privileged Access Manager 3.1.2 and prior releases: Update to CA Privileged Access Manager 3.1.3 or later CA Privileged Access Manager 3.0.x: Contact CA support for guidance References CVE-2019-7392 - CA Privileged Access Manager jk-manager and jk-status access Acknowledgement CVE-2019-7392 - Bob Brust Change History Version 1.0: 2019-02-12 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications. Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/. To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBXGnzK2aOgq3Tt24GAQhPxQ/3fjPg+2qaa5WVXLEgNZqis/8FYNUF9Hez OdBNHQqycfhRd6z23Nwx6yb2rBxeBZOgYBVh9G2rypcFmbA2XDzMlbKMswwPdNSV c3a4Iv84hAymFuhJvwz0Ghhgd50G4nTsNm8sld45CrEBzKRU5mDhj/jT5hvhRRgU iB1CfDV81qdjHML72F7LzkGEnkk+8kOXIBvWXygcJynwYxTwCuNKf56EOMI1Kkbf xDDffQZm7Aodg33uIPXJAzj6iC8O1d2xFQegSfi4GIvktAa0QFIMjsSZiw2mcBvm ILFSWOExJ6juwilfpWj2cs1qqceb6cJ/FeMSqFMHkwvDpodn1htre+MRSFWNjKaj 4tRJWTATFcHuOwRNwFHTFXWu1g/k43jb5Zh4H8ONIySd/Qyjq7VU9kTdVjaIWBwN Y6kG6oFbxqY6Wir7gSpkP2CuFl/hXdv/PnlH6Fzgzo+Vz9LAx7RQNXOt1ZbyfFo6 0JeBunaBG/pWghGbEBFIEQUP5AOu0zMeymzF5KbQEv22F5Gts/lO4aKpkfK+gGmK TlyOgmAGMJvII/QdqS3Rn0vZ5EABmh5pC0MlXVKu8A1s2AgO6cXUDwDOtkQPKBos KI7ulIq3uA14NDrEuU+1o+3H7hBZtS4piq96lxIhsVuT/mTxk3ZuMNlxFdrBarxt bwBpS0rOmQ== =N4Be -----END PGP SIGNATURE-----