what you don't know can hurt you

CA LISA Release Automation Security Notice

CA LISA Release Automation Security Notice
Posted Dec 16, 2014
Authored by Ken Williams | Site www3.ca.com

CA Release Automation (formerly CA LISA Release Automation) suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. Versions 4.7.1 Build 413 and earlier are affected.

tags | advisory, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2014-8246, CVE-2014-8247, CVE-2014-8248
MD5 | 7b3aba71523c7e90b667fde899b6b1ef

CA LISA Release Automation Security Notice

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

CA20141215-01: Security Notice for CA LISA Release Automation

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple
vulnerabilities in CA Release Automation (formerly CA LISA Release
Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery
(CSRF) issue related to insufficient validation. A remote attacker can
potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)
issue caused by insufficient input filtering. A remote attacker can
execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused
by insufficient input sanitization. An attacker with a non-privileged
account could utilize a specially crafted query to access privileged
information.

Risk Rating

Medium

Platform

Windows
Linux
Solaris

Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the
RA “About Automation Studio” page and check the displayed version.
Patched systems will display version 4.7.1.448 or later.

Alternatively, you can also see which fixes (you can see the fix
folders) are applied by looking at the Fix_Maintenance directory.

Windows example:
C:\Program Files\CA\LISAReleaseAutomationServer\Fix_Maintenance

Linux, Solaris example:
/opt/LISAReleaseAutomationServer/Fix_Maintenance

Solution

CA Technologies has issued the following fix to address the
vulnerabilities.

CA Release Automation 4.7.1:
Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release
Automation 4.7.1

Workaround

None

References

CVE-2014-8246 – Release Automation cross-site request forgery (CSRF)
CVE-2014-8247 – Release Automation cross-site scripting (XSS)
CVE-2014-8248 – Release Automation SQL injection

Acknowledgement

CVE-2014-8246 – Lukasz Plonka, Julian Horoszkiewicz
CVE-2014-8247 – Julian Horoszkiewicz
CVE-2014-8248 – Lukasz Plonka

Change History

v1.0: 2014-12-15, Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com

CA Technologies Product Vulnerability Response Team PGP Key:
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Regards,
Ken Williams
Director, Product Vulnerability Response Team
CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com
Ken.Williams@ca.com | vuln@ca.com


Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsBVAwUBVI9y85I1FvIeMomJAQGSwgf7Box/uvBBZ5Hd2MUn7Qzk/IuWWo/CC0O2
bDQRha/yw20cLllWZodJQnZSE/tTb2St52Byj4NRvslNLpnce37tnkfwIWAIe3y7
VIMj5CaQ7YUF0mOanUfwNixamai5DTEoyKyBDpr7nSo6kUocRvnQVs/caapaMBMN
09rpAd+02stVCC/YfRLk/2a0s5Py91d/nuq7NuimkMOWl4pI2/3QZ1ldOHHvJLAp
MTvEM2ip1HNzfS8sMBuUA5SGoAwpiC/G8sf97DJcdX1PVQkgP0OiYv/EYlydFiF6
Mg94fuKyu0/kVLg51vColKmdydn2Fxbz4EUbh0mx2Z1S7MNfwPwfYQ==
=7/gt
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    10 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close