-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1357
        CA20200414-01: Security Notice for CA API Developer Portal
                               17 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CA API Developer Portal
Publisher:         CA Technologies
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Administrator Compromise       -- Existing Account      
                   Access Privileged Data         -- Existing Account      
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11666 CVE-2020-11665 CVE-2020-11664
                   CVE-2020-11663 CVE-2020-11662 CVE-2020-11661
                   CVE-2020-11660 CVE-2020-11659 CVE-2020-11658

Original Bulletin: 
   https://techdocs.broadcom.com/us/product-content/status/announcement-documents/
   2020/CA20200414-01-Securit-Notice-for-CA-API-Developer-Portal.html

- --------------------------BEGIN INCLUDED TEXT--------------------

CA20200414-01: Security Notice for CA API Developer Portal

Issued: April 14th, 2020

Last Updated: April 14th, 2020

CA Technologies, A Broadcom Company, is alerting customers to multiple
vulnerabilities in CA API Developer Portal. Multiple vulnerabilities exist that
can allow attackers to bypass access controls, view or modify sensitive
information, perform open redirect attacks, or elevate privileges. CA published
solutions to address these vulnerabilities and recommends that all affected
customers implement these solutions.

The first vulnerability, CVE-2020-11658, occurs due insecure handling of shared
secret keys. An attacker can bypass authorization.

The second vulnerability, CVE-2020-11659, occurs due to an access control flaw.
A privileged user can perform a restricted user administration action.

The third vulnerability, CVE-2020-11660, occurs due to an access control flaw.
A privileged user can view restricted sensitive information.

The fourth vulnerability, CVE-2020-11661, occurs due to an access control flaw.
A privileged user can view and edit user data.

The fifth vulnerability, CVE-2020-11662, occurs due to insecure request
handling. A remote attacker can exploit Cross-Origin Resource Sharing to access
sensitive information.

The sixth vulnerability, CVE-2020-11663, occurs due to insecure redirect
handling of 404 requests. An attacker can perform open redirect attacks.

The seventh vulnerability, CVE-2020-11664, occurs due to insecure redirect
handling in the homeRedirect page. An attacker can perform open redirect
attacks.

The eighth vulnerability, CVE-2020-11665, occurs due to insecure redirect
handling in the loginRedirect page. An attacker can perform open redirect
attacks.

The ninth vulnerability, CVE-2020-11666, occurs due to an access control flaw.
A malicious user can elevate privileges.

Risk Rating

CVE-2020-11658 - Medium

CVE-2020-11659 - Low

CVE-2020-11660 - Low

CVE-2020-11661 - Low

CVE-2020-11662 - Medium

CVE-2020-11663 - Low

CVE-2020-11664 - Low

CVE-2020-11665 - Low

CVE-2020-11666 - High

Platform(s)

All supported platforms

Affected Products

CA API Developer Portal 4.3.1

CA API Developer Portal 4.2.x and earlier

How to determine if the installation is affected

Check the version number on the login page of API Developer Portal.

Solution

CA Technologies published the following solutions to address the
vulnerabilities:

Upgrade to CA API Developer Portal 4.3.2, 4.4, or 4.5 (or later when
available).

https://support.broadcom.com/

References

CVE-2020-11658 - API Dev Portal reset shared secret auth bypass

CVE-2020-11659 - API Dev Portal auth schema bypass del user

CVE-2020-11660 - API Dev Portal auth schema bypass info disclosure

CVE-2020-11661 - API Dev Portal auth schema bypass edit user

CVE-2020-11662 - API Dev Portal CORS info disclosure

CVE-2020-11663 - API Dev Portal 404 open redirect

CVE-2020-11664 - API Dev Portal homeRedirect open redirect

CVE-2020-11665 - API Dev Portal loginRedirect open redirect

CVE-2020-11666 - API Dev Portal privilege elevation

Acknowledgement

CVE-2020-11658 - Matteo Civera

CVE-2020-11659 - Roman Paci

CVE-2020-11660 - Matteo Civera

CVE-2020-11661 - Roman Paci

CVE-2020-11662 - Roman Paci

CVE-2020-11663 - Roman Paci

CVE-2020-11664 - Roman Paci

CVE-2020-11665 - Roman Paci

CVE-2020-11666 - Roman Paci

Change History

Version 1.0: 2020-04-14 - Initial Release

CA customers may receive product alerts and advisories by subscribing to
Proactive Notifications .

Customers who require additional information about this notice may contact CA
Technologies Support at https://support.broadcom.com/ .

To report a suspected vulnerability in a CA Technologies product, please send a
summary to the CA Technologies Product Vulnerability Response Team .

Copyright (C) 2020 Broadcom. All Rights Reserved. The term "Broadcom" refers to
Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting
everything, CA Technologies and the CA technologies logo are among the
trademarks of Broadcom. All trademarks, trade names, service marks and logos
referenced herein belong to their respective companies.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpkIMGaOgq3Tt24GAQgelQ/+LeF5RbP/5scDu2hUfy4Adepu65fvsPc9
s/kC35ddnbaaCVGwJVwRngyvemZL+IVcH2iIWlUaNlZHGj97qX/Q9AYjGS1WEpFP
oKUSF24jZPOGYwgUH+l2ByWKN616rgedoGTdXaG/8kO4F09BoJmB0gw+FJXlFKW4
5k+jwxRh4VNFjiANXav/V3djUoUq1qDow5L/2WGxHrX9DnaR6eWaRzA4l/40eDC/
HWbcghGORjbEaevDSkI6CBMvKadE7ryyvlZOQjwpKYJuFrtV1nStj+bXzMGrkKCc
PDYcQ910MWViTuEqFomddDpkDDcwFTx/Vo/kPajbePUYJPL4ZitQvX+I6QnD8VRi
Q9aoro6oxDUu6HSUAs6vgxFL/1avC+JPmodZPlxujtkJhObDBd7tgqP7Jadt9jbx
EZ/1URax5KlV9ZYj8gwWQ6kOyKVLdAPa91U9ml2tZp65ITzTOEy99fsWVzqQZMug
BaS/ylUbz9JlSckanE8gP65dChk0adEiQEV6AcSOCQK8WtL/apqVtl6C5QxxmTfT
d4Ytyi8WAjQBcfg/dSpguc1r9MFIUagmZiHhAgwopsPx3JRXmh9WOivaO0KRLWaE
yFQ2jj+1BgAH1bfyY3JdccMA3QTAIdxq5Uh2FcqVtxWWf8fMVFJ+8p4astD3aMdC
Gm/CojTK1a0=
=DXTK
-----END PGP SIGNATURE-----