[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CA20110510-01: Security Notice for CA eHealth
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: CA20110510-01: Security Notice for CA eHealth
- From: "Kotas, Kevin J" <Kevin.Kotas@xxxxxx>
- Date: Tue, 10 May 2011 19:09:58 -0400
-----BEGIN PGP SIGNED MESSAGE-----
CA20110510-01: Security Notice for CA eHealth
Issued: May 10, 2011
CA Technologies support is alerting customers to a security risk with
CA eHealth. A vulnerability exists that may potentially allow an
attacker to compromise web user security.
The vulnerability, CVE-2011-1899, occurs due to insufficient
validation of sent request parameters. An attacker, who can convince
a user to follow a carefully constructed link or view a malicious
web page, can conduct various cross-site scripting attacks.
Note: The "Scan user input for potentially malicious HTML content"
configuration option does not protect against this vulnerability.
Risk Rating
Medium
Platform
Windows
Unix
Affected Products
CA eHealth 6.0.x
CA eHealth 6.1.x
CA eHealth 6.2.1
CA eHealth 6.2.2
How to determine if the installation is affected
Locate the following file on the respective platform:
Platform
File path
Windows
"%NH_HOME%\extensions\local\42339.log"
Unix
"$NH_HOME/extensions/local/42339.log"
If the file is not present, the installation is vulnerable.
Solution
Customers may contact CA Technologies support to obtain a patch that
resolves this issue. Request the patch for PRD 42339 when submitting
the support ticket.
References
CVE-2011-1899 - eHealth cross-site scripting
CA20110510-01: Security Notice for CA eHealth
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5
662845D-4CD7-4CE6-8829-4F07A4C67366}
Acknowledgement
CVE-2011-1899 - Tony Fogarty
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Support at
http://support.ca.com/
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782
Regards,
Kevin Kotas
CA Technologies Product Vulnerability Response Team
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBTcnDXJI1FvIeMomJAQG7OAf/VxiNXwFJPWZbqwhyVQRCN33g3+fPWGSe
6vNpiGMaZAZ9IBLbTRxI8B0XRsmcHclPFurc7SzH8zO37GktJ2RnJZ0MuZWGVQsD
dVspm/r3DxHtWyLbRGxV9FpRRErqG6OHuTPDZ69dbaODvD2p8DXzjKBC4w3vBtPi
h13x1sO6sUapQ40gYL8Z4bq8uDf+BP0iENI2VArSdalUwTdtWsD6dwmiDb45iHpX
a8HHNCVQ1YJFHhydNVnm0vhBOe58tOLC7K92Yyrk6Gn801UD/jCcg+dc5FoAibgo
LmasWeVzcPmR7ZGYiogG0abUlYZEG6KiQxyuvfk/0xthEYM6mt1fZw==
=SGmt
-----END PGP SIGNATURE-----