-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20180328-01: Security Notice for CA API Developer Portal Issued: March 28, 2018 Last Updated: March 28, 2018 CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist that can allow a remote attacker to conduct cross-site scripting attacks. The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns profile picture management which can allow a remote attacker to conduct stored cross-site scripting attacks (CWE-79). The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns the widgetID variable, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79). The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns how the apiExplorer handles requests, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79). Risk Rating CVE Identifier Risk Rating CVE-2018-6586 Medium CVE-2018-6587 Medium CVE-2018-6588 Medium Platform(s) All supported platforms Affected Products CVE Identifier Affected Product and Releases CVE-2018-6586 CA API Developer Portal 3.5 GA through and including CR6 CVE-2018-6587 CA API Developer Portal 3.5 GA through and including CR6 CVE-2018-6588 CA API Developer Portal 3.5 GA through and including CR5 *CA API Developer Portal was formerly called CA Layer 7 API Portal Unaffected Products CA API Developer Portal 4 and newer releases How to determine if the installation is affected Customers may use the CA API Developer Portal web interface to find the product version and then use the table in the Affected Products section to determine if the installation is vulnerable. Solution CA Technologies published the following solution to address the vulnerabilities. CA API Developer Portal 3.5: Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in this security notice. References CVE-2018-6586 - CA API Developer Portal profile picture stored XSS CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS Acknowledgement CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas of Biznet Bilisim A.S. Change History Version 1.0: Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please send a report to CA Technologies Product Vulnerability Response at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBWrvd68Mr2sgsME5lAQrachAAp0ZZkIUet++ujK83vtp4E7wIwNTv+Tmu 5pKj97hEO6UzPsZdHVYGs/dI1XNJ2O8b7TAObaPQgE44W6PbwjTkA5ZieoCVBAhX cA4+M4lnwW6jqLjQlCZwHf0G5v+ioPkfVgesEYkYhMEhgZTwDioJNgvu15wbSz8i gqsiynUoOHENpa7L/m5fHny+7sav1056Iq1ZxEuJJjWEYUhHKbgRpDCpgh0YuZkZ c7KdJ3qN0TcR9yJQjaAodpAvVW/ukWXpTOho7lc547gI49dOpOrZbvO30c0VdTgq Qivzm/ID1d+I0PNiwYjz9Xn5rQKvm3SVHRpVOjWVuIYEe+AoZIyCCk11Q6tKmfn1 eDjI/HwOyCuk03G/QhwCTOMWJmCdM+iLJcsSYwB/59JEDX6Y1ERrQ5nmXimO5dH8 KCmeeyfdnJnSujsiZ4nWKkBcT07jAp5EIlI570AoMu1FlxOTBndI20BdauIjCUGh 2oMCGvYjP5C16Wuq5Gn7socxdaHUuoUz1opr5aB/dwCsybKMBeEl1Lac16i6SyBM F2zOczLezRCzmZgQCGpeyx6GL+UIT7J2XcwaZPWJXZwmjzzzzp0+CrlHzmCjKJi+ nQTfdztfUpUb5448SHFXV1J30oY6gytKhM98l4qd2GZYQWwmPJn0yDhShzdgzC6r qmUPpbvXFXo= =to4L -----END PGP SIGNATURE-----