-----BEGIN PGP SIGNED MESSAGE----- CA20130213-01: Security Notice for CA ControlMinder Issued: February 13, 2013 CA Technologies Support is alerting customers to a potential risk with CA ControlMinder. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued remediation to address the vulnerability. The vulnerability, CVE-2010-0738, occurs due to the default JBoss Application Server configuration not correctly enforcing authentication. A remote attacker can bypass authentication, which may result in arbitrary code execution and server compromise. This vulnerability only affects the server components. Risk Rating High Platform Windows Linux Solaris Affected Products CA ControlMinder for Windows 12.5, 12.6 (formerly CA Access Control) CA ControlMinder for Linux 12.5, 12.6 CA ControlMinder SAM 12.5, 12.6 CA ControlMinder Upgrade CA ControlMinder for Virtual Environments 2.0 Non-Affected Products CA ControlMinder for Windows 12.6 SP1 CA ControlMinder for Linux 12.6 SP1 CA ControlMinder SAM 12.6 SP1 CA ControlMinder Upgrade 12.6 SP1 CA ControlMinder for Virtual Environments 2.0 CR How to determine if the installation is affected If the installed version is prior to the version indicated in the Solution section, the installation may be vulnerable. To manually confirm whether the installation is vulnerable, use the following instructions: 1. Using a web browser, open the following location where is the server name or IP address of the ControlMinder installation. http://:18080/jmx-console 2. If the webpage is accessible, then the installation is vulnerable. Solution CA Technologies has issued the following remediation to address the vulnerability. All updates are available through the Download Center on the CA Technologies support website. For CA ControlMinder on all platforms, update as follows: CA ControlMinder for Windows 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Windows DVD06135111E.iso CA ControlMinder for Linux 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder SAM 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder Upgrade 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder for Virtual Environments 2.0: Access Control for Virtual Environments 2.0 CR DVD01091214E.iso CA ControlMinder 12.5 all releases on all platforms: Disable the JMX and Web Console servlets as described in TEC559568. Workaround Alternatively, the JMX and Web Console servlets may be disabled to remediate the vulnerability. See TEC559568 for instructions. References CVE-2010-0738 CA20130213-01: Security Notice for CA ControlMinder https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Acknowledgement Sanehdeep Singh, Jainam Technologies Pvt. Ltd. Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team: https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Kevin Kotas Director, CA Technologies Product Vulnerability Response Team Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.1 (Build 4940) Charset: utf-8 wsBVAwUBURvYMZI1FvIeMomJAQFa8QgAlGvNxaK3QWCw9z/Uzv7Jty4NAnZQ7V5n 44ZxK6sP4WN9gXklOYm9srnNCH65GdFNI6siqEi6SGeyzEww57V7mKUoZgdipQDn +CuRvj2ExtxZhWXSYkTW6aW0QYq5/wTT/SIcYwgfvyMWqajb5LM0dJXvFboTs05l pTjpl+Z+JudGB7ShlpQEVUrdTBmH3doYwIIoWNzUk+SjJq8d8sgh9PqLda+DrALt Njzsw+VKmG1usidHNJnvATMKNsJwQ2hxRQF0SbtvJsTd99ZetLbbdu1qun3fdmf1 Hbug/loFo6iBRwIkcLC3z87ph9cM0J6GsWa8rMzItmOZcGiu1rdd0A== =DZV/ -----END PGP SIGNATURE-----