Title: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities CA Advisory Date: 2008-09-24 Reported By: Open Security Foundation Impact: A remote attacker can conduct cross-site scripting attacks. Summary: CA Service Desk contains multiple vulnerabilities that can allow a remote attacker to conduct cross-site scripting attacks. CA has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2008-4119, are due to insecure handling of passed variables in multiple web forms. An attacker, who can convince a user to click on a specially crafted link, can potentially conduct cross-site scripting attacks. Mitigating Factors: None Severity: CA has given these vulnerabilities a Low risk rating. Affected Products: CA Service Desk r11.2 CA CMDB 11.0 CA CMDB 11.1 CA CMDB 11.2 Affected Platforms: Microsoft Windows 2003 R2 Microsoft Windows 2003 SP1 Microsoft Windows 2003 SP2 Microsoft Windows 2000 Server Family with SP4 applied (32 bit only) Red Hat Enterprise Linux 3.0 x86 Red Hat Enterprise Linux 4.0 x86 SUSE Linux Enterprise Server 9 (SLES) x86 SUSE Linux Enterprise Server 10 SP1 (SLES) x86 Sun Solaris 9 SPARC (64 bit only) Sun Solaris 10 SPARC (64 bit only) HP/UX 11.11 PA-RISC (64 bit only) HP/UX 11.23 PA-RISC (64 bit only) HP/UX 11.31 PA-RISC (64 bit only) AIX 5.2 (64 bit only) AIX 5.3 (64 bit only) Status and Recommendation: CA CMDB 11.0 and CA CMDB 11.1 users should upgrade to CA CMDB 11.2, which includes all of the fixes. CA has issued the following cumulative fixes for CA Service Desk r11.2 to address the vulnerabilities. Note: If you are using a version of CA Service Desk earlier than r11.2, you will first need to upgrade to r11.2. For users of earlier versions, CA recommends upgrading to r11.2. Windows: CA Service Desk Crystal Report component: QO99896 CA Service Desk Dashboard component: QO99895 CA Service Desk Web Screen Painter component: QO99894 CA Service Desk Web Server component: QO99893 CA Service Desk Server component: QO99892 AIX: CA Service Desk Web Screen Painter component: QO99905 CA Service Desk Web Server component: QO99901 CA Service Desk Server component: QO99897 HPUX: CA Service Desk Web Screen Painter component: QO99906 CA Service Desk Web Server component: QO99902 CA Service Desk Server component: QO99898 Linux: CA Service Desk Web Screen Painter component: QO99907 CA Service Desk Web Server component: QO99903 CA Service Desk Server component: QO99899 Solaris: CA Service Desk Web Screen Painter component: QO99908 CA Service Desk Web Server component: QO99904 CA Service Desk Server component: QO99900 How to determine if you are affected: Check the Applyptf log to determine if the fix has been applied. Additional information, including platform-specific instructions and updated routine details, can be found in the appropriate solution document. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Service Desk https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=186585 Solution Document Reference APARs: QO99896, QO99895, QO99894, QO99893, QO99892, QO99905, QO99901, QO99897, QO99906, QO99902, QO99898, QO99907, QO99903, QO99899, QO99908, QO99904, QO99900 CA Security Response Blog posting: CA Service Desk Multiple Cross-Site Scripting Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/09/25.aspx Reported By: Open Security Foundation http://opensecurityfoundation.org/ CVE References: CVE-2008-4119 – CA Service Desk multiple cross-site scripting issues http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4119 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Added CA CMDB solutions Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved.