Bug: CA Output Management Web Viewer Security Notice ( Ascii Version )

Search:
WLB2

CA Output Management Web Viewer Security Notice

Published
Credit
Risk
2011.05.02
Williams, James K
High
CWE
CVE
Local
Remote
CWE-119
CVE-2011-1719
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

CA20110420-02: Security Notice for CA Output Management Web Viewer

Issued: April 20, 2011

CA Technologies support is alerting customers to security risks
associated with CA Output Management Web Viewer. Two vulnerabilities
exist that can allow a remote attacker to execute arbitrary code. CA
Technologies has issued patches to address the vulnerabilities.

The vulnerabilities, CVE-2011-1719, are due to boundary errors in the
UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote
attacker can create a specially crafted web page to exploit the flaws
and potentially execute arbitrary code.

Risk Rating

High

Platform

Windows

Affected Products

CA Output Management Web Viewer 11.0
CA Output Management Web Viewer 11.5

How to determine if the installation is affected

If the end-user controls are at a version that is less than the
versions listed below, the installation is vulnerable.

File Name Version

UOMWV_HelperActiveX.ocx 11.5.0.1
PPSView.ocx 1.0.0.7

Solution

CA has issued the following patches to address the vulnerability.

CA Output Management Web Viewer 11.0:
Apply the RO29119 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).

CA Output Management Web Viewer 11.5:
Apply the RO29120 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).

References

CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer
Overflows

Acknowledgement

Dmitriy Pletnev, Secunia Research

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilja22 (at) ca (dot) com [email concealed]

References:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7BDED5B724-B500-46DA-A855-B2AF457B5364%7D
http://xforce.iss.net/xforce/xfdb/66904
http://xforce.iss.net/xforce/xfdb/66903
http://www.vupen.com/english/advisories/2011/1066
http://www.securityfocus.com/bid/47521
http://www.securityfocus.com/archive/1/archive/1/5176252000/100/0/threaded
http://securitytracker.com/id?1025424
http://secunia.com/secunia_research/2011-35/
http://secunia.com/secunia_research/2011-34/
http://secunia.com/advisories/43681

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version