-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20160721-01: Security Notice for CA eHealth Issued: 2016-07-21 Last Updated: 2016-07-21 CA Technologies Support is alerting customers to multiple potential risks with CA eHealth. Two vulnerabilities exist in the web interface, CVE-2016-6151 and CVE-2016-6152, that can allow a remote authenticated attacker to cause a denial of service condition or possibly execute arbitrary commands. CA technologies assigned a High risk rating to these vulnerabilities. CA has a solution available. Risk Rating CVE Identifier Risk Vulnerable Releases CVE-2016-6151 High 6.2.x CVE-2016-6152 High 6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x Platform(s) All Affected Products CA eHealth 6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x How to determine if the installation is affected Customers may check the build number by running the nhShowRev command If the installed product Fix build is less than the release in the below table, the installation is vulnerable. Product release Fix build CA eHealth 6.2.x, 6.3.x 6.3.2.13 Solution For all releases of CA eHealth, update to version 6.3.2.13 or later to resolve these vulnerabilities. References CVE-2016-6151 - CA eHealth 6.2.x remote denial of service/command execution CVE-2016-6152 - CA eHealth 6.2.x, 6.3.x remote denial of service/command execution Acknowledgement CVE-2016-6151, CVE-2016-6152 - Ben Lincoln, NCC Group Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2016 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBV5JY3Tuotw2cX+zOAQoYbg/+JfDwXxV6pCZiGpOBpK4aXRRPwnmFIXk7 ra+MW1S1fLwz7uay+rgDWhlgzi1zzOjtNacQguQECCUa1YfSRSQnqaaF0zDv6YV7 lMDd4bfHTn8nyj1s17rhSq0X5bSFc0JmpJ4yqrTvu9fX6UmfThxHObGAnKxBVBdJ Mt7ew1HmiKzxiTmcb59s6FbohyzXm2zDN0SYrGOZNLjnYJ4TR4GiKJ6laaFcPban uu0HnvguZAwNLe2uxyn3E4b1726O7xGRUhi99l69unMmRATARoqMJOYqxinbllXW enAmwS8DJ5DrnKQu5En5yx2STHTr50oFfuaAS18H1mIQyDxxD+w8me9eK6iWMlOZ pzKZHhQ7w0snWMkF14ky7Nev9hddO/q95oowRDLYGDxEMVI99Dt+bCBMWkOZ8NWu QO8SzIsPiVCvNGimy7+XDxOCdZ/VlgN2UHT7Dc3FkOdvuMp9/tCekKPXs/LCV7HW irIEu1nIglEVXY7uhpMv58eUUPh0TY9iuOaru8u1V8iH1f4YEikC5I8xJw9X824z pJdHHk8ef+ERuLkI1zFM2jm+6M4nAmF3ZBWiRmLg9bJlaixlWPB+4Yp3uobzVG/4 wqEKyXtk+DUDru1SGGAwphonQJeleCygQfqgEDRvNvuJMqdpsFSfY7lzXaHPj5Ce oCa4qmGItmw= =KcjQ -----END PGP SIGNATURE-----