Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3374 CA20190904-01: Security Notice for CA Common Services Distributed Intelligence Architecture (DIA) 5 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CA Common ServicesDistributed Intelligence Architecture (DIA) Publisher: Computer Associates Operating System: Windows Linux variants HP-UX AIX Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-13656 Original Bulletin: https://casupport.broadcom.com/us/product-content/recommended-reading/security-notices/CA20190904-01--security-notice-for-ca-common-services-distributed-intelligence-architecture-dia.html - --------------------------BEGIN INCLUDED TEXT-------------------- CA20190904-01: Security Noticefor CA Common ServicesDistributed Intelligence Architecture (DIA) Issued: September 4th, 2019 Last Updated: September 4th, 2019 CA Technologies, A Broadcom Company, is alerting customers to a potential risk with CA Common Services in the Distributed Intelligence Architecture (DIA) component. A vulnerability exists, CVE-2019-13656, that can allow a remote attacker to execute arbitrary code. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately. Risk Rating High Platform(s) All supported platforms Affected Products CA Common Components DIA CA Technologies products that bundle this software include: CA Client Automation 14 and later versions CA Workload Automation AE 11.3.5 and 11.3.6 How to determine if the installation is affected Customers should review the Solution section to determine whether the fix is present. CA Workload Automation Autosys: The Distributed Intelligence Architecture (DIA) that installs with the 11.3.5 and 11.3.6 C3 DVD is vulnerable. Solution CA published the following solutions to address the vulnerabilities. Fixes are available on the CA support site . CA Client Automation: Windows Solution: SO09605 Linux Solution: SO09633 CA Workload Automation Autosys: The following are the fixes published by the Workload Automation Autosys Product team for the vulnerability CVE-2019-13656 reported against Distributed Intelligence Architecture (DIA) shipped with C3 DVD. Windows Solution: SO09111 Linux Solution: SO09057 HP-UX Solution: SO09086 Solaris Solution: SO09084 AIX Solution: SO09085 Patch Validation The script applypatch.bat for Windows and applypatch.sh for Linux and Unix platforms when run should not produce any errors in its console output. The script starts the NSM services at the end of the patch application process. A successful patch application is manifested in the form of all services coming up successfully. References CVE-2019-13656 - Ca Common Services remote code execution Acknowledgement CVE-2019-13656 - Fredrik Ravne, Oslo Bors Change History Version 1.0: Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications . Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/ . To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response T Team . - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXBrYmaOgq3Tt24GAQj3FQ//TcixTB2TAlVrsQliVQwuco/pKCmdWaHm 6SKziCRQvv2sB63vwG+4JzzBuEOR8TR/n9uevqc3J5dEIMv1s83EC5zqt45oPvrR oQZSOyldqeM9Ux+oQuVZqGvqhlx/wNZSyg3ZOyHDS3bfh/VpQggG6uLJYJtjlR7k uWi7Mm+zlCXBO49jYyfby+tY+0oE87G3x51W01b9uSHgW9Cx8yVFnZdj+rDI3DLl ZAa8xi5DNh2Uldoei+yV8BpnzNKPimylEZ/5pnNepPBTyEt+Lu09yEPWqlPiXw8Y 1JvnfbowVGbg0lbeuTTnJ0AV9Y6Ny/bQrKhAw9buZyymjnBsuayM1DIC+GTVFUB7 hNOqdm6Wvh47VRDpdjpAu9O5hZB5uI70DXRUfYT7Gfp1VFWQXZZxuGNVfKYpaSeP 4CWGVe9mJl8Z0ZnI/EHF0G5y7BDd0LjkX/mqsWHGWXEkPSdjBOxigLvjfZxNirtT XE68Z3ltK8ePHx9JERvsN6AphSQ1Swkp59s8+Rgs5jYMZD++XmFfiiP8ZFAA1ZSI 7KKEazCquo3srWxFZyRSPNwuO6C1YKBxd0muxy0j3d/Gnb0/+DtkDiYvK2zZveRM vwe+B6kqaE6iwb5gOh1Sv2aANpeYK36M+DLLunfk0lQBjyXHjlaFuqv6QbeuYNFQ QtD28tUvIO0= =Ac4U -----END PGP SIGNATURE-----