CA20180829-03: Security Notice for CA Release Automation

From: Williams, Ken <Ken.Williams@ca.com>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Cc:
Subject: CA20180829-03: Security Notice for CA Release Automation
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20180829-03: Security Notice for CA Release Automation

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to a potential risk with 
CA Release Automation.  A vulnerability exists that can allow an 
attacker to potentially execute arbitrary code.  

The vulnerability, CVE-2018-15691, has a high risk rating and concerns 
insecure deserialization of a specially crafted serialized object, 
which can allow an attacker to potentially execute arbitrary code.  


Risk Rating

High


Platform(s)

All supported platforms


Affected Products

CA Release Automation 6.3
CA Release Automation 6.4
CA Release Automation 6.5

Note:  older, unsupported releases may be affected.


Unaffected Products

CA Release Automation 6.6
CA Release Automation 6.3.0.9945 or later
CA Release Automation 6.4.0.10119 or later
CA Release Automation 6.5.0.10080 or later


How to determine if the installation is affected

Check the build number with the Help->About menu option, or determine 
which fixes are applied by looking at the Fix_Maintenance directory.


Solution

CA Technologies published the following solutions to address the 
vulnerabilities. 

CA Release Automation 6.3:
Apply Cumulative Fix build 9945 or later.

CA Release Automation 6.4:
Apply Cumulative Fix build 10119 or later.

CA Release Automation 6.5:
Apply Cumulative Fix build 10080 or later.


References

CVE-2018-15691 - CA Release Automation deserialization vulnerability


Acknowledgement

CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec


Change History

Version 1.0: 2018-08-29 - Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,
Ken Williams
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022


Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBW4lufblJjor7ahBNAQgHCRAAlbiI2WtlSe1vnsES3mBAajChsQgClspH
BZ5AYknsLv9BUxObn+ungcXUjEl72fEOHYSIHjT4hSZFOKtmk+zNRc8X6dQV9V6a
ekVxUZhb08sowb2hNdG3DFKlArAX8gF1wVC/WaQvncLbPuvpKN+7z+1mpjYp7PJn
Sb+tW5LoMl7cQ50q1x+bjITPzNuOfG8CBqk4ErYD4adjv6iIdvPlysPhRuZI108B
0vDOfOkxGgEGbtDoIrm+7KNoD3HT1O6rZAjdAq8M9iCUO+ae7orTe1Euf+Q/1mh/
FBCNNcWbVyciy0Y7JJyrFOozMJhdRYn8WANOG5kil8la50iSmLKoDunh0r4N+i8F
XHTQGzvs4FLQaSC/eKpsW1+WPg/l9UmsJk6DUVn4Ql4cEpBzYjgve28XnHQ8Os23
m2oBMKnT+Vm+5uuiVhvMXfif633Qji715Cd+iEVofyzH1EcDU5QCIjW2zlP973XE
0oeYokEdTV9yLZz8UgNJVebJaCcNPvrxHfCWEsoOcumrk140dKpI3mclwc1gjJ5E
kehPO0usLZDGalzvuXawozwKy5ByYUF/vDCiB29izfJVWbUr0XVAVz0Ku7Zb5+Pn
3NDRTzzoI4igpe0Mr8Ne6NZJngFu0rI7KhEv+pf5lK4ZBbwHqofBlS3EMyKm6dpZ
buTODvqItNQ=
=KxBP
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.