CA20110420-02: Security Notice for CA Output Management Web Viewer Issued: April 20, 2011 CA Technologies support is alerting customers to security risks associated with CA Output Management Web Viewer. Two vulnerabilities exist that can allow a remote attacker to execute arbitrary code. CA Technologies has issued patches to address the vulnerabilities. The vulnerabilities, CVE-2011-1719, are due to boundary errors in the UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote attacker can create a specially crafted web page to exploit the flaws and potentially execute arbitrary code. Risk Rating High Platform Windows Affected Products CA Output Management Web Viewer 11.0 CA Output Management Web Viewer 11.5 How to determine if the installation is affected If the end-user controls are at a version that is less than the versions listed below, the installation is vulnerable. File Name Version UOMWV_HelperActiveX.ocx 11.5.0.1 PPSView.ocx 1.0.0.7 Solution CA has issued the following patches to address the vulnerability. CA Output Management Web Viewer 11.0: Apply the RO29119 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). CA Output Management Web Viewer 11.5: Apply the RO29120 APAR, and then have end-users allow updated controls to be installed (on next attempt to use impacted feature). References CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer Overflows Acknowledgement Dmitriy Pletnev, Secunia Research Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilja22 (at) ca (dot) com [email concealed]