-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20160627-01: Security Notice for Release Automation Issued: June 27, 2016 Last Updated: June 27, 2016 CA Technologies Support is alerting customers to multiple potential risks with CA Release Automation. Three vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information or cause a denial of service condition. CA has fixes available. The first vulnerability, CVE-2015-7370, occurs due to the inclusion of a vulnerable 3rd party component, Open Flash Chart. A remote attacker can conduct cross-site scripting attacks. CA technologies assigned a Medium risk rating to this vulnerability. The second vulnerability, CVE-2015-8698, occurs due to insufficient verification of requests to the web server, which can lead to limited XML external entity attacks. An authenticated attacker in the local network can potentially gain sensitive information or cause a denial of service condition. CA technologies assigned a Medium risk rating to this vulnerability. The third vulnerability, CVE-2015-8699, occurs due to insufficient verification of requests to the web interface, which leads to multiple reflected cross-site scripting vulnerabilities and one stored cross-site scripting vulnerability. CA technologies assigned a Medium risk rating to these vulnerabilities. Risk Rating CVE Identifier Risk Vulnerable Releases CVE-2015-7370 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 CVE-2015-8698 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 CVE-2015-8699 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 Platform(s) All platforms Affected Products CA Release Automation (formerly CA LISA Release Automation) prior to and including 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 How to determine if the installation is affected Customers may check the build number of their RA installation at the Help->About menu option at the ROC web application. Customers may also determine which fixes are applied by looking at the Fix_Maintenance directory. Windows example: C:\Program Files\CA\LISAReleaseAutomationServer\Fix_Maintenance Linux, Solaris example: /opt/LISAReleaseAutomationServer/Fix_Maintenance If the installed product Fix build is less than the build number in the below table, the installation is vulnerable. Product release Fix build CA Release Automation 6.1.0 6.1.0-1026 CA Release Automation 5.5.1 5.5.1-1616 CA Release Automation 5.5.2 5.5.2-434 CA Release Automation 5.0.2 5.0.2-227 Solution CA Technologies has issued the following updates to address the vulnerabilities. CA Release Automation 6.1.0: Update to CA Release Automation 6.1.0-1026 or later CA Release Automation 5.5.1: Update to CA Release Automation 5.5.1-1616 or later CA Release Automation 5.5.2: Update to CA Release Automation 5.5.2-434 or later CA Release Automation 5.0.2: Update to CA Release Automation 5.0.2-227 or later References CVE-2015-7370 - Open Flash Chart XSS CVE-2015-8698 - Release Automation XXE CVE-2015-8699 - Release Automation multiple XSS Acknowledgement CVE-2015-7370, CVE-2015-8698, CVE-2015-8699 - Marcin Woloszyn, ING Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2016 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBV3Gy0zuotw2cX+zOAQqR2A//Vz51P8jffsChitbyD3Cy+oRM6gsHBR1P XmSajFOx79cbSQgTYWwfr6qjAfQSz2SO9PA76RPwbLrn/htFuwYm0BnYUIsSHyIA xSabt4jABQ/ER5Qwn8Mqrj/WElFbg/rY60gUSGhDm8yORzRHo5CA1w5kD92QeoU7 0GHsoYPbNvYXRL36de7OPV1YWjvEMEb6hQWeMZu2FAJ10GThgNUGcSAwzk6Nwkjz T7ZcKIOWCNel9gJCbHcTeyZcoZzBU/MPWOmLkiNH6X+f0dBIBi0Y1DQG9bvpIGGu q9xTCzS4D79YFXHrqmaZVobCfi/+DByUSaeiYc+oIGuOKHVXG+ek+0jCQNXZIOrQ aad4AaOn9j7yu7ozFRFMs0CtoCviQLENXi0H9Rs6diBDtUS/pmM2Q5dTz2T6OMJU DG9c5fVs7Ei/x8S06/507ifM7io7RVYTN4NGFzj4D6MAQufIrdGZCFdCFFIPYTuG Vj6qxdOIJO3XdXzUVimnf0SLxYpbB3Blap9wq4ytUBMWBA1/iDkwTvKWpgjigS3/ FjCe+pA3234+r96wTMQD9X23Ui9O/4WHvBQGdhuYuMm7EeVOhvrOPdMltNqMqjgm jGnijk8rYtqEmX6Wir0eUKMkh1zSy4rBFlXsNiS6qdZ9OSpd7kjxidcwm8uGB0HG m4bQtwBM1YQ= =Qrip -----END PGP SIGNATURE-----