-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20191210-01: Security Notice for CA Automic Sysload Issued: December 10th, 2019 Last Updated: December 10th, 2019 CA Technologies, A Broadcom Company, is alerting customers to a potential risk with CA Automic Sysload in the File Server component. A vulnerability exists that can allow a remote attacker to execute arbitrary commands. CA published solutions to address the vulnerability and recommends that all affected customers implement this solution. The vulnerability, CVE-2019-19518, occurs due to a lack of authentication on the File Server port. A remote attacker may execute arbitrary commands. Risk Rating High Platform(s) All supported platforms Affected Products CA Automic Sysload 5.6.0, 5.8.0, 5.8.1, 6.0.0, 6.0.1, 6.1.2 How to determine if the installation is affected A customer is affected by vulnerability if the module Sysload File Server is installed in the following versions: 5.60 (build lower than 60.13) 5.80 6.00 (build lower than 65.6) Solution CA Technologies published the following solutions to address the vulnerability: 5.6.0 HF1 5.6.0 HF2 5.8.0 HF1 5.8.1 HF1 6.0.0 HF1 6.0.1 HF1 6.1.2 HF1 Those hotfixes include the module Sysload File Server in the following versions ('readme' file): 5.60 build 60.13 (OS/400) 6.00 build 65.8 (Unix, Windows) All of the hotfixes are available for download at Sysload downloads. References CVE-2019-19518 - CA Automic Sysload Acknowledgement CVE-2019-19518 - Raphaël Rigo from the Airbus Security Lab Change History Version 1.0: 2019-12-10 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team at ca.psirt broadcom.com Security Notices, PGP key, disclosure policy, and related guidance can be found at https://techdocs.broadcom.com/ca-psirt Regards, Ken Williams Vulnerability and Incident Response, CA PSIRT https://techdocs.broadcom.com/ca-psirt Broadcom | broadcom.com | Kansas City, Missouri, USA ken.williams broadcom.com | ca.psirt broadcom.com Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBXfDwDLZ6yOO9o8STAQiXVAf8DSLtflogd+hHtRQRr3mJUZ7FUxJhrkI7 X1V99aL0XX83rVLf/UXNf0wM9WjEJAZTB1KXTzhI9jJQtVXLJiDnxLbEmxhDAuIJ DNXcOssbiFRWqZShh8H0/EBr9H8xcW+rwhDoHLaaJK/sRyy/LB305/6x4SmyzASc +K2uTaPg8A7IwH5kosjZorHmuHHbB/S7Y/GuZ7Wz+RFHYHtTnb+1h7VLMCnaxMgb ur+6oP5LVuCRROJ1kGgiS+ryrdMZuy8XCsZ1LbhoA0yOOcftGUd1gnD3jTCH2YFM Q23cLNuucwP46x/PLRDRA3b2dEYi6cHPyPe7Y+k60wSV8kr1nX2u2Q== =VWEC -----END PGP SIGNATURE-----