-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20191209-01: Security Notice for CA Nolio (Release Automation) Issued: December 9th, 2019 Last Updated: December 9th, 2019 CA Technologies, A Broadcom Company, is alerting customers to a potential risk with CA Nolio (Release Automation) in the DataManagement component. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA published a solution to address the vulnerability and recommends that all affected customers implement this solution. The vulnerability, CVE-2019-19230, occurs due to insecure deserialization. A remote attacker may execute arbitrary commands by exploiting insecure deserialization through the DataManagement service. Risk Rating High Platform(s) All supported platforms Affected Products CA Nolio (formerly CA Release Automation) 6.6 How to determine if the installation is affected Customers may use the product version to determine if their Nolio installation is affected. The vulnerability impacts the DataManagement component, which is the main product component on all Management Servers (aka NACs). Solution Broadcom published the following solutions to address the vulnerability. Customers should also review the Secure Communications documentation. Fix documentation Whats.new.6.6.0.10215.txt CA Nolio (Release Automation) 6.6 Linux: nolio_patch_linux-x64_6_6_0_b10215.zip CA Nolio (Release Automation) 6.6 Windows: nolio_patch_windows-x64_6_6_0_b10215.zip References CVE-2019-19230 - CA Nolio (Release Automation) DataManagement deserialization Acknowledgement CVE-2019-19230 - Jakub Palaczynski and Robert Podsiadlo from ING Tech Poland Change History Version 1.0: 2019-12-09 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at ca.psirt broadcom.com Security Notices, PGP key, and disclosure policy and guidance https://techdocs.broadcom.com/ca-psirt Kevin Kotas CA Product Security Incident Response Team Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBXe/B2LZ6yOO9o8STAQjRJgf/XEPmnbxEMup00b9/kySn3PL/W8XEHsb1 xA14xV47ctFsbOwglyjnN5E9fyOgC8ztoAQXNCNC90ZmzFHDTUYPJbm+VTj4IhOa apEi37D58uRAKK7QWNvxpCBqHwzQETi9UuZ6TUFbw0Xl7qcwFCs2UafZVPAZJfOF 7abjEDDalrhZSjKHjVmb11NpBWESgWeM9QHaG+quZlgI2vQT1MNss8H3GJlJfeEH UY+iv0RKmNUYleEs/qeV1PKn0B4lAXg2KLcWXjBV4vNk6fCjBj/18Rc88gmYCoQE HkOXoq1V0nIaOCrPXr/lxKa3b1o3v0vJVXkJftzB8Ao0j2oZaFotiA== =Ggld -----END PGP SIGNATURE-----