-----BEGIN PGP SIGNED MESSAGE----- CA20110510-01: Security Notice for CA eHealth Issued: May 10, 2011 CA Technologies support is alerting customers to a security risk with CA eHealth. A vulnerability exists that may potentially allow an attacker to compromise web user security. The vulnerability, CVE-2011-1899, occurs due to insufficient validation of sent request parameters. An attacker, who can convince a user to follow a carefully constructed link or view a malicious web page, can conduct various cross-site scripting attacks. Note: The "Scan user input for potentially malicious HTML content" configuration option does not protect against this vulnerability. Risk Rating Medium Platform Windows Unix Affected Products CA eHealth 6.0.x CA eHealth 6.1.x CA eHealth 6.2.1 CA eHealth 6.2.2 How to determine if the installation is affected Locate the following file on the respective platform: Platform File path Windows "%NH_HOME%\extensions\local\42339.log" Unix "$NH_HOME/extensions/local/42339.log" If the file is not present, the installation is vulnerable. Solution Customers may contact CA Technologies support to obtain a patch that resolves this issue. Request the patch for PRD 42339 when submitting the support ticket. References CVE-2011-1899 - eHealth cross-site scripting CA20110510-01: Security Notice for CA eHealth (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5 662845D-4CD7-4CE6-8829-4F07A4C67366} Acknowledgement CVE-2011-1899 - Tony Fogarty Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at http://support.ca.com/ If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17 7782 Regards, Kevin Kotas CA Technologies Product Vulnerability Response Team -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBTcnDXJI1FvIeMomJAQG7OAf/VxiNXwFJPWZbqwhyVQRCN33g3+fPWGSe 6vNpiGMaZAZ9IBLbTRxI8B0XRsmcHclPFurc7SzH8zO37GktJ2RnJZ0MuZWGVQsD dVspm/r3DxHtWyLbRGxV9FpRRErqG6OHuTPDZ69dbaODvD2p8DXzjKBC4w3vBtPi h13x1sO6sUapQ40gYL8Z4bq8uDf+BP0iENI2VArSdalUwTdtWsD6dwmiDb45iHpX a8HHNCVQ1YJFHhydNVnm0vhBOe58tOLC7K92Yyrk6Gn801UD/jCcg+dc5FoAibgo LmasWeVzcPmR7ZGYiogG0abUlYZEG6KiQxyuvfk/0xthEYM6mt1fZw== =SGmt -----END PGP SIGNATURE-----