CA20121220-01: Security Notice for CA IdentityMinder Issued: December 20, 2012 Updated: January 18, 2013 CA Technologies Support is alerting customers to two potential risks in CA IdentityMinder (formerly known as CA Identity Manager). Two vulnerabilities exist that can allow a remote attacker to execute arbitrary commands, manipulate data, or gain elevated access. CA Technologies has issued patches to address the vulnerabilities. The first vulnerability, CVE-2012-6298, allows a remote attacker to execute arbitrary commands or manipulate data. The second vulnerability, CVE-2012-6299, allows a remote attacker to gain elevated access. Risk Rating High Affected Platforms All Affected Products CA IdentityMinder r12.0 CR16 and earlier CA IdentityMinder r12.5 SP1 thru SP14 CA IdentityMinder r12.6 GA Non-Affected Products None (i.e. all supported versions of CA IdentityMinder are vulnerable) How to determine if the installation is affected All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA are vulnerable. You can confirm that patches have been successfully applied by checking the dates associated with the following IdentityMinder jar files (the jar files are created in the patch output sub-folder structure in the root folder from which you have run the patch utility): CA IdentityMinder r12.0 CR16 and earlier – user_console.jar CA IdentityMinder r12.5 SP1 thru SP6 – user_console.jar CA IdentityMinder r12.5 SP7 thru SP14 – user_console.jar & imsapi6.jar CA IdentityMinder r12.6 GA – user_console.jar & imsapi6.jar The dates on these jar files will be set to the date on which the patch was applied. Solution CA Technologies has issued the following patches to address the vulnerabilities. Download the appropriate patch(es) and follow the instructions in the readme.txt file. These patches can be applied to all operating system platforms. 12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip 12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip 12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip 12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip 12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip 12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip 12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip 12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip 12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip 12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip 12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip 12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip 12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip 12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip 12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip 12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip Workaround None References CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate data CVE-2012-6299 - CA IdentityMinder gain elevated access CA20121220-01: Security Notice for CA IdentityMinder (URL may wrap) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B 61-3A68-4506-9876-F845F6DD8A93} Acknowledgement CVE-2012-6298 - Discovered internally by CA Technologies CVE-2012-6299 - Discovered internally by CA Technologies Change History Version 1.0: Initial Release Version 1.1: Revised the section entitled "How to determine if the installation is affected". If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 CA Technologies Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Thanks and regards, Ken Williams, Director