Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0487
CA20190212-01: Security Notice for CA Privileged Access Manager
18 February 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CA Privileged Access Manager
Publisher: CA Technologies
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-7392
Original Bulletin:
https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190212-01--security-notice-for-ca-privileged-access-manager.html
- --------------------------BEGIN INCLUDED TEXT--------------------
CA20190212-01: Security Notice for CA Privileged Access Manager
Issued: February 12, 2019
Last Updated: February 12, 2019
CA Technologies Support is alerting customers to a potential risk
with CA Privileged Access Manager. A vulnerability exists that can
allow a remote attacker to access sensitive information or modify
configuration. CA published solutions to address the vulnerabilities.
CVE-2019-7392 describes a vulnerability resulting from inadequate
access controls for the components jk-manager and jk-status web
service allowing a remote attacker to access the CA PAM Web-UI
without authentication
Risk Rating
High
Platform(s)
All platforms
Affected Products
CA Privileged Access Manager 3.2.1 and prior releases
CA Privileged Access Manager 3.1.2 and prior releases
CA Privileged Access Manager 3.0.x
How to determine if the installation is affected
Customers may check the version of the product to determine if they
are running a vulnerable release.
Solution
CA Privileged Access Manager 3.2.1 and prior releases:
Update to CA Privileged Access Manager 3.2.2 or later
CA Privileged Access Manager 3.1.2 and prior releases:
Update to CA Privileged Access Manager 3.1.3 or later
CA Privileged Access Manager 3.0.x:
Contact CA support for guidance
References
CVE-2019-7392 - CA Privileged Access Manager jk-manager and jk-status
access
Acknowledgement
CVE-2019-7392 - Bob Brust
Change History
Version 1.0: 2019-02-12 - Initial Release
CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications.
Customers who require additional information about this notice may
contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response
Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBXGnzK2aOgq3Tt24GAQhPxQ/3fjPg+2qaa5WVXLEgNZqis/8FYNUF9Hez
OdBNHQqycfhRd6z23Nwx6yb2rBxeBZOgYBVh9G2rypcFmbA2XDzMlbKMswwPdNSV
c3a4Iv84hAymFuhJvwz0Ghhgd50G4nTsNm8sld45CrEBzKRU5mDhj/jT5hvhRRgU
iB1CfDV81qdjHML72F7LzkGEnkk+8kOXIBvWXygcJynwYxTwCuNKf56EOMI1Kkbf
xDDffQZm7Aodg33uIPXJAzj6iC8O1d2xFQegSfi4GIvktAa0QFIMjsSZiw2mcBvm
ILFSWOExJ6juwilfpWj2cs1qqceb6cJ/FeMSqFMHkwvDpodn1htre+MRSFWNjKaj
4tRJWTATFcHuOwRNwFHTFXWu1g/k43jb5Zh4H8ONIySd/Qyjq7VU9kTdVjaIWBwN
Y6kG6oFbxqY6Wir7gSpkP2CuFl/hXdv/PnlH6Fzgzo+Vz9LAx7RQNXOt1ZbyfFo6
0JeBunaBG/pWghGbEBFIEQUP5AOu0zMeymzF5KbQEv22F5Gts/lO4aKpkfK+gGmK
TlyOgmAGMJvII/QdqS3Rn0vZ5EABmh5pC0MlXVKu8A1s2AgO6cXUDwDOtkQPKBos
KI7ulIq3uA14NDrEuU+1o+3H7hBZtS4piq96lxIhsVuT/mTxk3ZuMNlxFdrBarxt
bwBpS0rOmQ==
=N4Be
-----END PGP SIGNATURE-----