[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder
- From: "Williams, James K" <James.Williams@xxxxxx>
- Date: Thu, 20 Dec 2012 21:47:56 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CA20121220-01: Security Notice for CA IdentityMinder
Issued: December 20, 2012
CA Technologies Support is alerting customers to two potential risks in CA
IdentityMinder (formerly known as CA Identity Manager). Two
vulnerabilities exist that can allow a remote attacker to execute arbitrary
commands, manipulate data, or gain elevated access. CA Technologies has
issued patches to address the vulnerability.
The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.
The second vulnerability, CVE-2012-6299, allows a remote attacker to gain
elevated access.
Risk Rating
High
Affected Platforms
All
Affected Products
CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA
Non-Affected Products
None (i.e. all supported versions of CA IdentityMinder are vulnerable)
How to determine if the installation is affected
All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA
are vulnerable.
You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files: imsapi6.jar
and ims.jar. The dates on these jars will be set to the dates on which the
patch was applied.
Solution
CA Technologies has issued the following patches to address the
vulnerabilities. Download the appropriate patch(es) and follow the
instructions in the readme.txt file. These patches can be applied to all
operating system platforms.
12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip
12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip
12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip
12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip
12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip
12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip
12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip
12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip
12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip
12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip
12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip
12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip
12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip
12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip
12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip
12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip
Workaround
None
References
CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access
CA20121220-01: Security Notice for CA IdentityMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}
Acknowledgement
CVE-2012-6298 - Discovered internally by CA Technologies
CVE-2012-6299 - Discovered internally by CA Technologies
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@xxxxxx
Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFQ04dQeSWR3+KUGYURAoIZAJ9QibJh7LUweVUQzvBstoWWeDV5eQCfSG1A
YK0Og3SiMtIHOoA6JWE1vTA=
=Wlax
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/