-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20161109-02: Security Notice for CA Service Desk Manager

Issued: November 09, 2016

CA Technologies Support is alerting customers to a vulnerability in CA 
Service Desk Manager (formerly CA Service Desk).  A reflected cross site 
scripting vulnerability, CVE-2016-9148, exists in the QBE.EQ.REF_NUM 
parameter of the SDM web interface.  A remote attacker, who can trick a 
user into clicking on or visiting a specially crafted link, could 
potentially execute arbitrary code on the targeted user's system.  CA 
Technologies has assigned a Medium risk rating to this vulnerability.  
A solution is available.


Risk Rating

Medium


Platform(s)

All


Affected Products

CA Service Desk Manager 12.9, 14.1


How to determine if the installation is affected

Check the web.cfg file for the existence of the solution detailed in KB 
article TEC1774903.


Solution 

Implement the solution detailed in KB article TEC1774903.


Workaround

None


References

CVE-2016-9148 - SDM QBE.EQ.REF_NUM Reflected XSS Vulnerability


Acknowledgement

CVE-2016-9148 - Jerold Hoong


Change History

Version 1.0:  Initial Release, 2016-11-09


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report 
your findings to the CA Technologies Product Vulnerability Response Team 
at vuln <AT> ca.com

CA Technologies Security Notices can be found at https://support.ca.com/
CA Product Vulnerability Response Team PGP Key:
https://www.ca.com/us/support/ca-support-online/documents.aspx?id=177782


Regards,

Ken Williams
Vulnerability Response Director, CA Product Vulnerability Response Team


Copyright (c) 2016 CA. All Rights Reserved. 520 Madison Avenue, 22nd 
Floor, New York, NY 10022. All other trademarks, trade names, service 
marks, and logos referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 16620)
Charset: utf-8

wsFVAwUBWCO8pjuotw2cX+zOAQrdBhAAk/TAQ+kNGxUGvNF4R8VX6Q8olUoZO/sg
q4/t9MVAybGrzV/VQe3zzMWkSR3rbbbV8C8GAWBMZbZ/RjOTiX//L2Cy/uXpzRPo
BF5RL5B3NkCIyRN1Ujh/812hXmSBSiFRJchZOSLBnGNAEE0VeTnuDAQjolzSVr9Q
FTqggxkXLwv00GH+12RIYlI1YRoS9+GEs9zY3qONy1/9HeJSfH2jOiA+3owdtIxB
QSorxmWvpQt9sJRmNi98Jvoyt+HhdXVVdXB6GsthQOKvRsBnBnTENLuaC3g3W8Ur
MI2Rjs9ioujyAeLT4i/5pAk3e9w5ix7078cPzBf5bGPHRN8WwXUgJwOQzwc9IJr4
Vqv/kJsqdRTPevLnl0uZcpcTmmzACRVW3I+XqdslOFPzlx9jGogPoUF/S6nCfmZX
tG+nWyMxTpi0JU9xEqqIvIB6bME6GwlkJ+acuP2k+oBuEMs/lkk4C83RHHmvlg1t
0pjnrpBN/tGeJxXzjhU0rncDEDq5QFI3DeVnqOlL4cpbuV+SBwfD9xiQWtUF9uks
u8z8/oR8mluhV9m5njceGM2ElIOC7iLuOLSfl8wRnF4OI4LB+D8cVI4oFEUNdzEv
6QITaRP85UWK/O4csiw23r74SLrQgndCNDuRz9jT30J9AVDpBRLsbidlNEKdfoJD
gf7R0BB8auY=
=wAmu
-----END PGP SIGNATURE-----