-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20140218-01: Security Notice for CA 2E Web Option Issued: February 18, 2014 CA Technologies Support is alerting customers to a potential risk in CA 2E Web Option (C2WEB). A vulnerability exists that can allow an attacker to exploit an authentication weakness and execute a session prediction attack. The vulnerability, CVE-2014-1219, is due to a predictable session token. An unauthenticated attacker can manipulate a session token to gain privileged access to a valid session. CA Technologies has issued fixes to address the vulnerability. Risk Rating High Affected Platforms IBM i Affected Products CA 2E Web Option r8.5 CA 2E Web Option r8.5 + PTF 1 CA 2E Web Option r8.6 CA 2E Web Option r8.6 + PTF B Note that the vulnerable version reported by Portcullis, r8.1.2, reached End of Service (EOS) on April 10, 2013 and is no longer supported. Customers can find the CA 2E r8.1, r8.1 SP1 and r8.1 SP2 End of Service Announcement, dated April 10, 2012, on the CA Support website. Non-Affected Products None (i.e. all supported versions of CA 2E Web Option are affected) How to determine if the installation is affected All supported versions of CA 2E Web Option are affected by this vulnerability. To determine if the fix for this vulnerability has been applied, refer to the guidance below for each supported version. CA 2E Web Option r8.5: The existence of the data area YHFM55861 in PTF library YW8501254 will indicate that this solution has been applied. CA 2E Web Option r8.6: The existence of the data area YHFM55865 in PTF library YW860B254 will indicate that this solution has been applied. Solution CA Technologies has issued the following fixes to address the vulnerability. CA 2E Web Option r8.5: RO67583 CA 2E Web Option r8.6: RO67569 Workaround None References CVE-2014-1219 - CA 2E Web Option Session Prediction Vulnerability CA20140218-01: Security Notice for CA 2E Web Option https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Acknowledgement CVE-2014-1219 - Portcullis Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams CA Technologies Director, Product Vulnerability Response Team Ken.Williams@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wj8DBQFTA9mXeSWR3+KUGYURAkNJAJ9AuzNLh8ZUGQuwwHVlGvBO9QfQ6ACeO8xG bFkm420IatsvgNIBBPmUhpg= =Hgof -----END PGP SIGNATURE-----