Issued: January 10, 2017
Last Updated: January 10, 2017
CA Technologies support is alerting customers to a potential risk
with CA Service Desk Manager. A vulnerability exists in RESTful
web services that can potentially allow a remote authenticated
attacker to view or modify sensitive information. Fixes are
available.
The vulnerability, CVE-2016-10086, is due to incorrect permissions
being applied to certain RESTful requests that can allow a malicious
user to view or update task information. This vulnerability only
affects CA Service Desk Manager installations with RESTful web
services running.
Risk Rating
Medium
Platform(s)
Windows, Linux, Solaris, Aix
Affected Products
CA Service Desk Manager 12.9
CA Service Desk Manager 14.1
How to determine if the installation is affected
If RESTful web services are installed, the product could be
vulnerable. Please check if RESTful web services are installed and
running. The following command on the server where Service Desk is
installed can give the status of the RESTful web services:
pdm_tomcat_nxd -c status -t REST
If the status is Running, the product installation is vulnerable.
Solution
Product Version, Platform
Fix
12.9, Windows
RO93722
12.9, Linux
RO93730
12.9, Solaris
T52Y601
12.9, AIX
T52Y602
14.1, Windows
RO93720
14.1, Linux
RO93721
14.1, Solaris
T52Y593
14.1, AIX
T52Y594
Note: Customers must request "T" fixes and non-English fixes from CA
support. Published "RO" fixes can be downloaded from the Service Desk
Manager product page on the "Solutions & Patches" sub-page.
https://support.ca.com/
References
CVE-2016-10086 - CA Service Desk Manager RESTful web services task
vulnerability
Acknowledgement
CVE-2016-10086 - Bruno de Barros Bulle
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/
www.ca.com/us/support/ca-
Regards,
Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team
Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
Komentarų nėra:
Rašyti komentarą