-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20180829-03: Security Notice for CA Release Automation Issued: August 29, 2018 Last Updated: August 29, 2018 CA Technologies Support is alerting customers to a potential risk with CA Release Automation. A vulnerability exists that can allow an attacker to potentially execute arbitrary code. The vulnerability, CVE-2018-15691, has a high risk rating and concerns insecure deserialization of a specially crafted serialized object, which can allow an attacker to potentially execute arbitrary code. Risk Rating High Platform(s) All supported platforms Affected Products CA Release Automation 6.3 CA Release Automation 6.4 CA Release Automation 6.5 Note: older, unsupported releases may be affected. Unaffected Products CA Release Automation 6.6 CA Release Automation 6.3.0.9945 or later CA Release Automation 6.4.0.10119 or later CA Release Automation 6.5.0.10080 or later How to determine if the installation is affected Check the build number with the Help->About menu option, or determine which fixes are applied by looking at the Fix_Maintenance directory. Solution CA Technologies published the following solutions to address the vulnerabilities. CA Release Automation 6.3: Apply Cumulative Fix build 9945 or later. CA Release Automation 6.4: Apply Cumulative Fix build 10119 or later. CA Release Automation 6.5: Apply Cumulative Fix build 10080 or later. References CVE-2018-15691 - CA Release Automation deserialization vulnerability Acknowledgement CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec Change History Version 1.0: 2018-08-29 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Ken Williams Vulnerability Response Director, Product Vulnerability Response Team CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022 Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBW4lufblJjor7ahBNAQgHCRAAlbiI2WtlSe1vnsES3mBAajChsQgClspH BZ5AYknsLv9BUxObn+ungcXUjEl72fEOHYSIHjT4hSZFOKtmk+zNRc8X6dQV9V6a ekVxUZhb08sowb2hNdG3DFKlArAX8gF1wVC/WaQvncLbPuvpKN+7z+1mpjYp7PJn Sb+tW5LoMl7cQ50q1x+bjITPzNuOfG8CBqk4ErYD4adjv6iIdvPlysPhRuZI108B 0vDOfOkxGgEGbtDoIrm+7KNoD3HT1O6rZAjdAq8M9iCUO+ae7orTe1Euf+Q/1mh/ FBCNNcWbVyciy0Y7JJyrFOozMJhdRYn8WANOG5kil8la50iSmLKoDunh0r4N+i8F XHTQGzvs4FLQaSC/eKpsW1+WPg/l9UmsJk6DUVn4Ql4cEpBzYjgve28XnHQ8Os23 m2oBMKnT+Vm+5uuiVhvMXfif633Qji715Cd+iEVofyzH1EcDU5QCIjW2zlP973XE 0oeYokEdTV9yLZz8UgNJVebJaCcNPvrxHfCWEsoOcumrk140dKpI3mclwc1gjJ5E kehPO0usLZDGalzvuXawozwKy5ByYUF/vDCiB29izfJVWbUr0XVAVz0Ku7Zb5+Pn 3NDRTzzoI4igpe0Mr8Ne6NZJngFu0rI7KhEv+pf5lK4ZBbwHqofBlS3EMyKm6dpZ buTODvqItNQ= =KxBP -----END PGP SIGNATURE-----