-----BEGIN PGP SIGNED MESSAGE-----
CA20141215-01: Security Notice for CA LISA Release Automation
Issued: December 15, 2014
CA Technologies Support is alerting customers to multiple
vulnerabilities in CA Release Automation (formerly CA LISA Release
Automation, change effective 2014-09-19).
The first vulnerability, CVE-2014-8246, is a cross-site request forgery
(CSRF) issue related to insufficient validation. A remote attacker can
potentially execute privileged actions on a vulnerable website.
The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)
issue caused by insufficient input filtering. A remote attacker can
execute specially crafted script.
The third vulnerability, CVE-2014-8248, is a SQL injection issue caused
by insufficient input sanitization. An attacker with a non-privileged
account could utilize a specially crafted query to access privileged
CA Release Automation 4.7.1 Build 413 and earlier
CA Release Automation 4.7.1 Build 448
How to determine if the installation is affected
To confirm that cumulative hot fix b448 is installed, navigate to the
RA ?About Automation Studio? page and check the displayed version.
Patched systems will display version 126.96.36.1998 or later.
Alternatively, you can also see which fixes (you can see the fix
folders) are applied by looking at the Fix_Maintenance directory.
Linux, Solaris example:
CA Technologies has issued the following fix to address the
CA Release Automation 4.7.1:
Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release
CVE-2014-8246 ? Release Automation cross-site request forgery (CSRF)
CVE-2014-8247 ? Release Automation cross-site scripting (XSS)
CVE-2014-8248 ? Release Automation SQL injection
CVE-2014-8246 ? Lukasz Plonka, Julian Horoszkiewicz
CVE-2014-8247 ? Julian Horoszkiewicz
CVE-2014-8248 ? Lukasz Plonka
v1.0: 2014-12-15, Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at email@example.com
CA Technologies Product Vulnerability Response Team PGP Key:
Director, Product Vulnerability Response Team
CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com
Ken.Williams@ca.com | firstname.lastname@example.org
Copyright ? 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
-----END PGP SIGNATURE-----