-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20190117-01: Security Notice for CA Service Desk Manager Issued: January 17, 2019 Last Updated: January 17, 2019 CA Technologies Support is alerting customers to multiple potential risks with CA Service Desk Manager. Multiple vulnerabilities exist that can allow a remote attacker to access sensitive information or possibly gain additional privileges. CA published solutions to address the vulnerabilities. The first vulnerability, CVE-2018-19634, is due to how survey access is implemented. A malicious actor can access and submit survey information without authentication. The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges. Risk Rating High Platform(s) All platforms Affected Products CA Service Desk Manager 14.1 CA Service Desk Manager 17 How to determine if the installation is affected CA Service Desk Manager r14.1: Versions prior to 14.1.05.1 are vulnerable. CA Service Desk Manager r17 Windows: Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in the solution section are vulnerable CA Service Desk Manager r17 Linux: Versions prior to 17.1.0.2 are vulnerable Solution CA Technologies published the following solutions to address the vulnerabilities. CA Service Desk Manager r14.1: Update to CA Service Desk Manager 14.1.05.1. The rollup patches are available on the CA Service Desk Manager 14.1 Solutions & Patches page. Windows - SO05733 Sun - SO05716 Linux - SO05715 CA Service Desk Manager R17 Linux: Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions & Patches page. CA Service Desk Manager R17 Windows: Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the corresponding language patch for the Service Desk Manager installation. All fixes are available on the CA Service Desk Manager 17.1 Solutions & Patches page. Chinese - SO06055 English - SO06036 French - SO06051 French Canadian - SO06039 German - SO06037 Italian - SO06052 Japanese - SO06053 Portuguese - SO06054 Spanish - SO06038 References CVE-2018-19634 - CA Service Desk Manager survey access CVE-2018-19635 - CA Service Desk Manager privilege escalation Acknowledgement CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep Change History Version 1.0: 2019-01-17 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications. Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/. To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBXEDDEblJjor7ahBNAQhpKw/+MdbnJY7q2pYojS3XvSOhWjdm6H41akB5 mXjsGQLhpRvLV+sS3p1+l+JK9F8x7Gi0+tJaCMILq8eGj7hIfgrm+J38XxcQIfJd xPqXeuoeM6Fghd3AgNriecleIELjt32zCy4JpDMiiUDu1+dYpsURHBTiN2YITBMn V11TMq8lvJua10z81OFgm+Kj95qdDfu1NKV+A+Nmtdey+6fxEEWiOBCE01EZC+M9 4cY1vLVQdY+Kkv2GN0P89rKzkWg5UCGjLSbcbnz9+STGRoT5VEcatiZFVSYtudUZ KQSu0UIoPDOxGSn+EE+PSBgP0e3R0ke1swXN8kIghmAthCaFVyTVBRUpTpOKYg3o AjQfiRlowBnNoeRtdZltLuWTEIY+5gpduN5pRLTgeTbwbGV9IaK2uxjNy3g4PvfG PApvtbxxPSOwwTTMtD2jAdiSxOeEbh+vhaBX4BjaUGPysMgsBgVbARntIYySu78X YL8tf9N04y3r+nEGP6jCgIAHU5NajAubx6FaHDS1rOnuEZ3y6+r/kOOy38dfQygk ASdeG12cXd8/I6UFDphk9DcBhO61z9EgZ4DatfXvtBuuirkwdaavbx4UN8DX9pPX TMKvFVhPn259nDQG95uMZSHgXAygWEr8wlPn0ef0JjszeZnAsiLnRE149zeGyG75 QD/9yo0kzx8= =4XWm -----END PGP SIGNATURE-----