exploit the possibilities

CA 2E Web Option Session Prediction

CA 2E Web Option Session Prediction
Posted Feb 19, 2014
Authored by Ken Williams | Site www3.ca.com

CA Technologies Support is alerting customers to a potential risk in CA 2E Web Option (C2WEB). A vulnerability exists that can allow an attacker to exploit an authentication weakness and execute a session prediction attack. The vulnerability is due to a predictable session token. An unauthenticated attacker can manipulate a session token to gain privileged access to a valid session. CA Technologies has issued fixes to address the vulnerability.

tags | advisory, web
advisories | CVE-2014-1219
MD5 | 7fadfd3e65352b522fd7cb75dbd6a581

CA 2E Web Option Session Prediction

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CA20140218-01: Security Notice for CA 2E Web Option

Issued: February 18, 2014

CA Technologies Support is alerting customers to a potential risk in
CA 2E Web Option (C2WEB). A vulnerability exists that can allow an
attacker to exploit an authentication weakness and execute a session
prediction attack. The vulnerability, CVE-2014-1219, is due to a
predictable session token. An unauthenticated attacker can manipulate
a session token to gain privileged access to a valid session. CA
Technologies has issued fixes to address the vulnerability.

Risk Rating

High

Affected Platforms

IBM i

Affected Products

CA 2E Web Option r8.5
CA 2E Web Option r8.5 + PTF 1
CA 2E Web Option r8.6
CA 2E Web Option r8.6 + PTF B

Note that the vulnerable version reported by Portcullis, r8.1.2,
reached End of Service (EOS) on April 10, 2013 and is no longer
supported. Customers can find the CA 2E r8.1, r8.1 SP1 and r8.1 SP2
End of Service Announcement, dated April 10, 2012, on the CA Support
website.

Non-Affected Products

None (i.e. all supported versions of CA 2E Web Option are affected)

How to determine if the installation is affected

All supported versions of CA 2E Web Option are affected by this
vulnerability.

To determine if the fix for this vulnerability has been applied, refer
to the guidance below for each supported version.

CA 2E Web Option r8.5:
The existence of the data area YHFM55861 in PTF library YW8501254 will
indicate that this solution has been applied.

CA 2E Web Option r8.6:
The existence of the data area YHFM55865 in PTF library YW860B254 will
indicate that this solution has been applied.

Solution

CA Technologies has issued the following fixes to address the
vulnerability.

CA 2E Web Option r8.5:
RO67583

CA 2E Web Option r8.6:
RO67569

Workaround

None

References

CVE-2014-1219 - CA 2E Web Option Session Prediction Vulnerability

CA20140218-01: Security Notice for CA 2E Web Option
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Acknowledgement

CVE-2014-1219 - Portcullis

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams
CA Technologies
Director, Product Vulnerability Response Team
Ken.Williams@ca.com


Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wj8DBQFTA9mXeSWR3+KUGYURAkNJAJ9AuzNLh8ZUGQuwwHVlGvBO9QfQ6ACeO8xG
bFkm420IatsvgNIBBPmUhpg=
=Hgof
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close