-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20111208-01: Security Notice for CA SiteMinder Issued: December 08, 2011 CA Technologies Support is alerting customers to a potential risk in CA SiteMinder. A vulnerability exists that can allow a malicious user to execute a reflected cross site scripting (XSS) attack. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-4054, occurs due to insufficient validation of postpreservationdata parameter input utilized in the login.fcc form. A malicious user can submit a specially crafted request to effectively hijack a victim’s browser. Risk Rating Medium Platform All Affected Products CA SiteMinder R6 SP6 CR7 and earlier CA SiteMinder R12 SP3 CR8 and earlier Non-Affected Products CA SiteMinder R6 SP6 CR8 CA SiteMinder R12 SP3 CR9 How to determine if the installation is affected Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. Solution CA is issuing patches to address the vulnerability. CA SiteMinder R6: Upgrade to R6 SP6 CR8 or later (Expected Availability: January 2012) CA SiteMinder R12: Upgrade to R12 SP3 CR9 or later CR releases can be found on the CA SiteMinder Hotfix/Cumulative Release page: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E 29-C3DE-405E-9151-9EEA72D965CE}. Workaround None References CVE-2011-4054 - CA SiteMinder login.fcc XSS Acknowledgement CVE-2011-4054 - Jon Passki of Aspect Security, via CERT Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations wilja22@ca.com -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFO4glXeSWR3+KUGYURAotyAJ4nT1pij7Nb2uOCKgXnhGvK5If7DgCfX5ht GdIeR80Ie/6he0y0K5uQLoQ= =U3C2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/