Security Notice For CA IdentityMinder

Security Notice For CA IdentityMinder: Posted Dec 22, 2012; Authored by Ken Williams | Site www3.ca.com; CA Technologies Support is alerting customers to two potential risks in CA IdentityMinder (formerly known as CA Identity Manager). Two vulnerabilities exist that can allow a remote attacker to execute arbitrary commands, manipulate data, or gain elevated access. CA Technologies has issued patches to address the vulnerability. The first vulnerability allows a remote attacker to execute arbitrary commands or manipulate data. The second vulnerability allows a remote attacker to gain elevated access.; tags | advisory, remote, arbitrary, vulnerability; advisories | CVE-2012-6299, CVE-2012-6298; SHA-256 | d49452eb07c7dac5ca08b669f45a87e17032447b86a511ba9d8c52ea0e06bd22; Download | Favorite | View

Security Notice For CA IdentityMinder


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CA20121220-01: Security Notice for CA IdentityMinder

Issued: December 20, 2012


CA Technologies Support is alerting customers to two potential risks in CA 
IdentityMinder (formerly known as CA Identity Manager).  Two
vulnerabilities 
exist that can allow a remote attacker to execute arbitrary commands, 
manipulate data, or gain elevated access.  CA Technologies has issued 
patches to address the vulnerability.

The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.

The second vulnerability, CVE-2012-6299, allows a remote attacker to gain 
elevated access.


Risk Rating

High


Affected Platforms

All


Affected Products

CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA


Non-Affected Products

None (i.e. all supported versions of CA IdentityMinder are vulnerable)


How to determine if the installation is affected

All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA 
are vulnerable.

You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files: imsapi6.jar 
and ims.jar.  The dates on these jars will be set to the dates on which the
patch was applied.


Solution

CA Technologies has issued the following patches to address the 
vulnerabilities.  Download the appropriate patch(es) and follow the 
instructions in the readme.txt file.  These patches can be applied to all 
operating system platforms.

12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip

12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip

12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip

12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip

12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip

12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip

12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip

12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip

12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip

12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip

12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip

12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip

12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip

12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip

12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip

12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip



Workaround

None


References

CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access

CA20121220-01: Security Notice for CA IdentityMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}


Acknowledgement

CVE-2012-6298 - Discovered internally by CA Technologies 
CVE-2012-6299 - Discovered internally by CA Technologies


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report 
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com


Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQ04P9eSWR3+KUGYURAl2PAJ9LdnOlvewnVWtqmcAV/hbmwTOa7QCfZzcJ
B8e5qLs4mUmSZJdMqMZm52Q=
=CPIi
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

Security Notice For CA IdentityMinder

Security Notice For CA IdentityMinder

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Security Notice For CA IdentityMinder

Share This

Security Notice For CA IdentityMinder

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems