-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20201116-01: Security Notice for CA Unified Infrastructure Management Issued: November 16th, 2020 Last Updated: November 16th, 2020 CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Unified Infrastructure Management. A vulnerability exists that can allow a local attacker to elevate privileges. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions. The vulnerability, CVE-2020-28421, occurs due to improper access control. A local attacker can potentially elevate privileges. Risk Rating CVE-2020-28421 - High Platform(s) Microsoft Windows Affected Products CA Unified Infrastructure Management 20.1 CA Unified Infrastructure Management 9.2.0 CA Unified Infrastructure Management 9.1.0 CA Unified Infrastructure Management 9.0.2 Note: older, unsupported versions may be affected Affected Components The applicable component is robot (also known as controller). Affected robot versions: before 7.97HF11 before 9.20HF20 before 9.20SHF20 (secure) before 9.30HF4 before 9.30SHF4 (secure) Non-Affected Products CA Unified Infrastructure Management 20.3 Non-Affected Components Non-affected robot versions: 7.97HF11 or later 9.20HF20 or later 9.20SHF20 (secure) or later 9.30HF4 or later 9.30SHF4 (secure) or later How to determine if the installation is affected Check for the controller version in Infrastructure Manager or Admin Console. If the version is lower than 7.97HF11 for UIM 9.0.2, 9.20HF20 or 9.20SHF20 for UIM 9.2.0, 9.30HF4 or 9.30SHF4 for UIM 20.1, then it is affected. Solution CA Technologies published the following solutions to address the vulnerabilities: robot_update patches 7.97HF11 (or above), 9.20HF20 (or above) and 9.30HF4 (or above). robot_update_secure patches 9.20SHF20 (or above) and 9.30SHF4 (or above). Note: UIM 8.5.1 users must upgrade robot to 7.97HF11. UIM 9.1.0 users must upgrade robot to 9.20HF20 (or above). Hotfixes are available at: https://support.broadcom.com/external/content/release-announcements/CA-Unif ied-Infrastructure-Management-Hotfix-Index/7233 References CVE-2020-28421 – CA UIM improper access control privilege elevation Acknowledgement CVE-2020-28421 – Fabius Artrel Change History Version 1.0: 2020-11-16 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team at ca.psirt broadcom.com Security Notices, PGP key, disclosure policy, and related guidance can be found at: https://support.broadcom.com/external/content/security-advisories/CA-Produc t-Vulnerability-Response-Team-Contact-Information/1867 Regards, Ken Williams Vulnerability and Incident Response, CA PSIRT https://techdocs.broadcom.com/ca-psirt Broadcom | broadcom.com | Kansas City, Missouri, USA ken.williams broadcom.com | ca.psirt broadcom.com Copyright (c) 2020 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBX7hE93DWZsOpNI4OAQiAcAgAqvsNL9t+DI5bO8q0/0vqjyqv/YHX66eU NJx/MPaR0+iFZiNHr54KjD76+Pj+Fp4RsfCU0DNrk6DbrNp4K9wZFdinOLBVqg92 UoEjm5iGJwfiML2A1cL7+OSVU6eLJ7EuagbM4QKksLiCp4cqvZiEc8KrafGaw6Cg 8KSgcVz1uLtwH+Nek5D+fKwQkwNHnFFCINFniyy/nhVHZyKeUpxBa0h9Kjse1P2g 3bdcST3AzoasFWp8j/mGQ7qmzNtFCoUjNIG5wbksfrJdyJr1tILLpWaz2g7VXwL4 UYaBnRSrhsnkwdlX8VgP1Yq8ZGAzzI/7s+XAES14Ldhlh7M61SM0Vw== =f9// -----END PGP SIGNATURE-----