CA20121220-01: Security Notice for CA IdentityMinder Issued: December 20, 2012 CA Technologies Support is alerting customers to two potential risks in CA IdentityMinder (formerly known as CA Identity Manager). Two vulnerabilities exist that can allow a remote attacker to execute arbitrary commands, manipulate data, or gain elevated access. CA Technologies has issued patches to address the vulnerability. The first vulnerability, CVE-2012-6298, allows a remote attacker to execute arbitrary commands or manipulate data. The second vulnerability, CVE-2012-6299, allows a remote attacker to gain elevated access. Risk Rating High Affected Platforms All Affected Products CA IdentityMinder r12.0 CR16 and earlier CA IdentityMinder r12.5 SP1 thru SP14 CA IdentityMinder r12.6 GA Non-Affected Products None (i.e. all supported versions of CA IdentityMinder are vulnerable) How to determine if the installation is affected All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA are vulnerable. You can confirm that patches have been successfully applied by checking the dates associated with the following IdentityMinder jar files: imsapi6.jar and ims.jar. The dates on these jars will be set to the dates on which the patch was applied. Solution CA Technologies has issued the following patches to address the vulnerabilities. Download the appropriate patch(es) and follow the instructions in the readme.txt file. These patches can be applied to all operating system platforms. 12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip 12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip 12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip 12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip 12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip 12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip 12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip 12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip 12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip 12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip 12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip 12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip 12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip 12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip 12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip 12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip Workaround None References CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate data CVE-2012-6299 - CA IdentityMinder gain elevated access CA20121220-01: Security Notice for CA IdentityMinder https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B61-3A68-4506-9876-F845F6DD8A93} Acknowledgement CVE-2012-6298 - Discovered internally by CA Technologies CVE-2012-6299 - Discovered internally by CA Technologies Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations wilja22@ca.com Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.