what you don't know can hurt you

Security Notice For CA License

Security Notice For CA License
Posted Oct 2, 2012
Authored by Ken Williams | Site www3.ca.com

CA Technologies Support is alerting customers to two potential risks in CA License (also known as CA Licensing). Vulnerabilities exist that can allow a local attacker to execute arbitrary commands or gain elevated access. CA Technologies has issued patches to address the vulnerabilities.

tags | advisory, arbitrary, local, vulnerability
advisories | CVE-2012-0691, CVE-2012-0692
MD5 | da9905439d6b7ebdc255eb04d32deead

Security Notice For CA License

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CA20121001-01: Security Notice for CA License

Issued: October 01, 2012


CA Technologies Support is alerting customers to two potential risks in CA
License (also known as CA Licensing). Vulnerabilities exist that can
allow a local attacker to execute arbitrary commands or gain elevated
access. CA Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-0691, occurs due to insecure use of
system commands. An unprivileged user can exploit this vulnerability to
execute commands with system or administrator privileges.

The second vulnerability, CVE-2012-0692, occurs due to inadequate user
validation. An unprivileged user can exploit this vulnerability to create
or modify arbitrary files and gain elevated access.


Risk Rating

High


Affected Platforms

AIX 5.x
DEC
HP-UX
Linux
Mac OS X
Solaris
Windows


Affected Products

CA Aion Business Rules Expert r11.0
CA ARCserve Backup r12.5, r15, r16
CA ARCserve Central Protection Manager r16
CA ARCserve Central Reporting r16
CA ARCserve D2D r15, r16, r16 On Demand
CA ARCserve Central Host Based VM Backup (formerly CA ARCserve Host Based
VM Backup) r16
CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual
Conversion Manager) r16
CA Automation Point r11.2, r11.3
CA Client Automation (formerly CA Desktop and Server Management) r12.0,
r12.0 SP1, r12.5
CA Common Services (CCS) r11.2 SP2
CA ControlMinder (formerly CA Access Control) 12.5, 12.6
CA ControlMinder for Virtual Environments (formerly CA Access Control for
Virtual Environments) 2.0
CA Database Management r11.3, r11.4, r11.5
CA Directory 8.1
CA Easytrieve for Windows and UNIX 11.0, 11.1
CA Easytrieve for Linux PC 11.6
CA Erwin Data Modeler r7.x
CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5
CA Gen r8
CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier
CA Insight Database Performance Manager 11.3, 11.4, 11.5
CA IT Asset Manager (ITAM) r12.6 and earlier
CA IT Client Manager r12.0, r12.0 SP1, r12.5
CA IT Inventory Manager r12.0, r12.0 SP1, r12.5
CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2
CA Output Management Web Viewer 11.5
CA Plex r6, r6.1
CA Repository for Distributed Systems r2.3
CA Service Accounting r12.5, r12.6
CA Service Catalog r12.5, r12.6
CA Service Desk Manager r12.1, r12.5, r12.6
CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier
CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3
CA Software Compliance Manager r12.0, r12.6
CA Storage Resource Manager (SRM) 11.8, 12.6
CA TSreorg for Distributed Databases 11.3, 11.4, 11.5
CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6
CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3
CA Workload Automation DE r11.3
CA XCOM Data Transport Gateway PC Linux r11.5
CA XCOM Data Transport Gateway Windows r11.5
CA XCOM Data Transport for PC Linux r11.5
CA XCOM Data Transport for Windows r11.5
CA XCOM Data Transport Management Center for PC Linux r11.5
CA XCOM Data Transport Management Center for Windows r11.5


Affected Components

CA License 1.90.02 and earlier


Non-Affected Products

CA ControlMinder (formerly CA Access Control) 12.6 SP1
CA Client Automation 12.5 SP1
CA Directory r12.0 SP1 or later
CA Gen r8.5
CA IdentityMinder (formerly CA Identity Manager) r12.5
CA IT Client Manager r12.5.SP1
CA IT Inventory Manager r12.5.SP1
CA Plex r7.0
CA Service Accounting r12.7
CA Service Catalog r12.7
CA Service Desk Manager r12.7
CA Single Sign-On (SSO) r12.1 CR5
CA Storage Resource Manager (SRM) 12.6 SP1
CA Workload Automation DE r11.1 (does not use CA License)


Non-Affected Components

CA License 1.90.03 or later


How to determine if the installation is affected

All versions of CA License before 1.90.03 are vulnerable.

The installed version of CA License can be obtained by using the
“lic98version” program. Lic98version retrieves the version of CA
License
installed on a machine along with the version of specific individual files.
The version information is written to the lic98version.log file located in
the CA License installation location, and is also displayed on the console.


Solution

CA has issued patches to address the vulnerability.


For all CA product installations on Linux, please note these Linux-specific
instructions:

1. First, make backups of the ca.olf file and the lic98.dat file.
2. Uninstall the existing/old version of CA License.
3. Perform the installation of CA License 1.90.04.
4. Confirm the successful installation of 1.9.04, and then replace the
existing ca.olf file and lic98.dat file with the files you backed
up in step 1.

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/


CA Aion Business Rules Expert r11.0:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA ALP License Update for Windows:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={2B524F
D2-9275-4820-997F-E9C0BC0DE768}

CA ARCserve products:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Automation Point r11.2:
Install SP5 when available.

CA Automation Point r11.3:
Install SP2, which uses CA License v1.90.04.

CA Client Automation r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Common Services (CCS) r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder (formerly known as CA Access Control) 12.5, 12.6:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA ControlMinder for Virtual Environments 2.0 (formerly known as ACVE):
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Database Management r11.3, r11.4, r11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Directory 8.1:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.0, 11.1:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Easytrieve 11.6 for Linux PC:
Download and install CA License v1.90.04 or later:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Erwin Data Modeler r7.x:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Gen r8:
Upgrade to CA Gen r8.5, or download and install CA License v1.90.04 or
later for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA IdentityMinder (formerly known as CA Identity Manager) r12 CR16 and
earlier:
Upgrade to r12.5, or download and install CA License v1.90.04 or later for
Windows and Linux platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Insight Database Performance Manager 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Asset Manager (ITAM) r12.6 and earlier:
Apply RI40652 for UAPM 11.3.4
Apply RI40653 for APM 12.6
Apply RI40654 for CASWCM 12.6
Apply RI40655 for CASWCM 12.0

CA IT Client Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA IT Inventory Manager r12.0, r12.0 SP1, r12.5:
Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later
for Windows and Linux platforms, or v1.90.03 or later for all other
platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Output Management Web Viewer 11.5:
Apply RI36100

CA Plex r6.1:
Upgrade to CA Plex r7.0

CA Repository for Distributed Systems r2.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Service Accounting r12.5:
Apply RO40603 (PIB RI40667)

CA Service Accounting r12.6:
Apply RO40613 (PIB RI40669)

CA Service Catalog r12.5:
Apply RO40603 (PIB RI40667)

CA Service Catalog r12.6:
Apply RO40613 (PIB RI40669)

CA Service Desk Manager r12.1, r12.5, r12.6:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
(Note that you will need to stop all SSO server services (including Access
Control and Directory) before upgrading the License component.)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Software Compliance Manager r12.0:
Apply RI40655

CA Software Compliance Manager r12.6:
Apply RI40654

CA SRM 11.8:
Apply RI35825 (CA License Vulnerability Fix)

CA SRM 12.6:
Apply RI35823 (CA License Vulnerability Fix)

CA TSreorg for Distributed Databases 11.3, 11.4, 11.5:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Unicenter Asset Portfolio Management r11.3, r11.3.4:
Apply RI40652

CA Unicenter Asset Portfolio Management r12.6:
Apply RI40653

CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA Workload Automation DE r11.3:
Download and install CA License v1.90.04 or later for Windows and Linux
platforms, or v1.90.03 or later for all other platforms:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347
B7-543B-4345-B8FB-E840A0B72BFF}

CA XCOM Data Transport Gateway PC Linux r11.5:
Apply RI36093

CA XCOM Data Transport Gateway Windows r11.5:
Apply RI36094

CA XCOM Data Transport for PC Linux r11.5:
Apply RI36091

CA XCOM Data Transport for Windows 11.5:
Apply RI36090

CA XCOM Data Transport Management Center for PC Linux 11.5:
Apply RI38961

CA XCOM Data Transport Management Center for Windows 11.5:
Apply RI38984


Workaround

None


References

CVE-2012-0691 – CA License system command usage
CVE-2012-0692 – CA License user validation weakness


Acknowledgement

CVE-2012-0691 – Raphael Rigo, ANSSI (French Network and Information
Security Agency)
CVE-2012-0692 – Raphael Rigo, ANSSI (French Network and Information
Security Agency)


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com


Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQafI7eSWR3+KUGYURAm8UAKCW9a/UaoyzeP8Ja/c9EPd0Gqol4ACdErwZ
bhKZxUlw5RP4fB9DlbfU/gk=
=AEEO
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close