-----BEGIN PGP SIGNED MESSAGE-----

CA20110510-01: Security Notice for CA eHealth

Issued: May 10, 2011

CA Technologies support is alerting customers to a security risk with
CA eHealth. A vulnerability exists that may potentially allow an
attacker to compromise web user security.

The vulnerability, CVE-2011-1899, occurs due to insufficient
validation of sent request parameters. An attacker, who can convince
a user to follow a carefully constructed link or view a malicious
web page, can conduct various cross-site scripting attacks.

Note: The "Scan user input for potentially malicious HTML content"
configuration option does not protect against this vulnerability.

Risk Rating

Medium

Platform

Windows
Unix

Affected Products

CA eHealth 6.0.x
CA eHealth 6.1.x
CA eHealth 6.2.1
CA eHealth 6.2.2

How to determine if the installation is affected

Locate the following file on the respective platform:

Platform
File path

Windows
"%NH_HOME%\extensions\local\42339.log"

Unix
"$NH_HOME/extensions/local/42339.log"

If the file is not present, the installation is vulnerable.

Solution

Customers may contact CA Technologies support to obtain a patch that
resolves this issue. Request the patch for PRD 42339 when submitting
the support ticket.

References

CVE-2011-1899 - eHealth cross-site scripting

CA20110510-01: Security Notice for CA eHealth
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5
662845D-4CD7-4CE6-8829-4F07A4C67366}

Acknowledgement

CVE-2011-1899 - Tony Fogarty

Change History

Version 1.0: Initial Release
If additional information is required, please contact CA Support at
http://support.ca.com/

If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782

Regards,

Kevin Kotas
CA Technologies Product Vulnerability Response Team

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBTcnDXJI1FvIeMomJAQG7OAf/VxiNXwFJPWZbqwhyVQRCN33g3+fPWGSe
6vNpiGMaZAZ9IBLbTRxI8B0XRsmcHclPFurc7SzH8zO37GktJ2RnJZ0MuZWGVQsD
dVspm/r3DxHtWyLbRGxV9FpRRErqG6OHuTPDZ69dbaODvD2p8DXzjKBC4w3vBtPi
h13x1sO6sUapQ40gYL8Z4bq8uDf+BP0iENI2VArSdalUwTdtWsD6dwmiDb45iHpX
a8HHNCVQ1YJFHhydNVnm0vhBOe58tOLC7K92Yyrk6Gn801UD/jCcg+dc5FoAibgo
LmasWeVzcPmR7ZGYiogG0abUlYZEG6KiQxyuvfk/0xthEYM6mt1fZw==
=SGmt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/