[cryptography] Fwd: [Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder

Jeffrey Walton noloader at gmail.com
Fri Jan 18 18:53:16 EST 2013


Somewhat off topic, but seems kind of relevant, too.

---------- Forwarded message ----------
From: Williams, James K <James.Williams at ca.com>
Date: Fri, Jan 18, 2013 at 5:55 PM
Subject: [Full-disclosure] CA20121220-01: Security Notice for CA
IdentityMinder [updated]
To: "full-disclosure at lists.grok.org.uk" <full-disclosure at lists.grok.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CA20121220-01: Security Notice for CA IdentityMinder

Issued: December 20, 2012
Updated: January 18, 2013


CA Technologies Support is alerting customers to two potential risks in CA
IdentityMinder (formerly known as CA Identity Manager).  Two
vulnerabilities exist that can allow a remote attacker to execute
arbitrary commands, manipulate data, or gain elevated access.  CA
Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.

The second vulnerability, CVE-2012-6299, allows a remote attacker to gain
elevated access.


Risk Rating

High


Affected Platforms

All


Affected Products

CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA


Non-Affected Products

None (i.e. all supported versions of CA IdentityMinder are vulnerable)


How to determine if the installation is affected

All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA
are vulnerable.

You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files (the jar files
are created in the patch output sub-folder structure in the root folder
from which you have run the patch utility):

CA IdentityMinder r12.0 CR16 and earlier – user_console.jar
CA IdentityMinder r12.5 SP1 thru SP6 – user_console.jar
CA IdentityMinder r12.5 SP7 thru SP14 – user_console.jar & imsapi6.jar
CA IdentityMinder r12.6 GA –  user_console.jar & imsapi6.jar

The dates on these jar files will be set to the date on which the patch was
applied.


Solution

CA Technologies has issued the following patches to address the
vulnerabilities.  Download the appropriate patch(es) and follow the
instructions in the readme.txt file.  These patches can be applied to all
operating system platforms.

12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip

12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip

12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip

12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip

12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip

12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip

12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip

12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip

12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip

12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip

12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip

12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip

12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip

12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip

12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip

12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip


Workaround

None


References

CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access

CA20121220-01: Security Notice for CA IdentityMinder
(URL may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}


Acknowledgement

CVE-2012-6298 - Discovered internally by CA Technologies
CVE-2012-6299 - Discovered internally by CA Technologies


Change History

Version 1.0: Initial Release

Version 1.1: Revised the section entitled "How to determine if the
installation is affected".


If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

CA Technologies Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22 at ca.com


Copyright (C) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQ+dCzeSWR3+KUGYURAnGbAJ9yscNDhny2rCY2X4qS6g/YtOtM6QCffyTw
tZL1z2lAQhkrxdDNzN9tyzs=
=rNug
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



More information about the cryptography mailing list