-----BEGIN PGP SIGNED MESSAGE----- CA20141215-01: Security Notice for CA LISA Release Automation Issued: December 15, 2014 CA Technologies Support is alerting customers to multiple vulnerabilities in CA Release Automation (formerly CA LISA Release Automation, change effective 2014-09-19). The first vulnerability, CVE-2014-8246, is a cross-site request forgery (CSRF) issue related to insufficient validation. A remote attacker can potentially execute privileged actions on a vulnerable website. The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS) issue caused by insufficient input filtering. A remote attacker can execute specially crafted script. The third vulnerability, CVE-2014-8248, is a SQL injection issue caused by insufficient input sanitization. An attacker with a non-privileged account could utilize a specially crafted query to access privileged information. Risk Rating Medium Platform Windows Linux Solaris Affected Products CA Release Automation 4.7.1 Build 413 and earlier Unaffected Products CA Release Automation 4.7.1 Build 448 How to determine if the installation is affected To confirm that cumulative hot fix b448 is installed, navigate to the RA “About Automation Studio” page and check the displayed version. Patched systems will display version 4.7.1.448 or later. Alternatively, you can also see which fixes (you can see the fix folders) are applied by looking at the Fix_Maintenance directory. Windows example: C:\Program Files\CA\LISAReleaseAutomationServer\Fix_Maintenance Linux, Solaris example: /opt/LISAReleaseAutomationServer/Fix_Maintenance Solution CA Technologies has issued the following fix to address the vulnerabilities. CA Release Automation 4.7.1: Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release Automation 4.7.1 Workaround None References CVE-2014-8246 – Release Automation cross-site request forgery (CSRF) CVE-2014-8247 – Release Automation cross-site scripting (XSS) CVE-2014-8248 – Release Automation SQL injection Acknowledgement CVE-2014-8246 – Lukasz Plonka, Julian Horoszkiewicz CVE-2014-8247 – Julian Horoszkiewicz CVE-2014-8248 – Lukasz Plonka Change History v1.0: 2014-12-15, Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com CA Technologies Product Vulnerability Response Team PGP Key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBVI9y85I1FvIeMomJAQGSwgf7Box/uvBBZ5Hd2MUn7Qzk/IuWWo/CC0O2 bDQRha/yw20cLllWZodJQnZSE/tTb2St52Byj4NRvslNLpnce37tnkfwIWAIe3y7 VIMj5CaQ7YUF0mOanUfwNixamai5DTEoyKyBDpr7nSo6kUocRvnQVs/caapaMBMN 09rpAd+02stVCC/YfRLk/2a0s5Py91d/nuq7NuimkMOWl4pI2/3QZ1ldOHHvJLAp MTvEM2ip1HNzfS8sMBuUA5SGoAwpiC/G8sf97DJcdX1PVQkgP0OiYv/EYlydFiF6 Mg94fuKyu0/kVLg51vColKmdydn2Fxbz4EUbh0mx2Z1S7MNfwPwfYQ== =7/gt -----END PGP SIGNATURE-----