CA20160323-01: Security Notice for CA Single Sign-On Web Agents
Issued: March 23, 2016
Last Updated: March 23, 2016
CA Technologies Support is alerting customers to potential risks with CA
Single Sign-On (CA SSO), formerly known as CA SiteMinder. Michael
Brooks of BishopFox alerted CA to vulnerabilities that can allow a remote
attacker to cause a denial of service or possibly gain sensitive
information. CA has fixes that address the vulnerabilities.
The first vulnerability, CVE-2015-6853, occurs due to insufficient
verification of requests in the CA SSO Domino web agent. A remote
attacker can make a request that could result in a crash or the
disclosure of sensitive information. CA has assigned this vulnerability
a High risk rating. Only CA SSO customers using the Domino web agent
are affected by this vulnerability.
The second vulnerability, CVE-2015-6854, occurs due to insufficient
verification of requests in all CA SSO web agents other than the Domino
web agent. A remote attacker can make a request that could result in a
crash or disclose sensitive information. CA has assigned this vulnerability
a High risk rating. The web agents in CA SSO versions 12.51 and 12.52
are not affected by this vulnerability. Secure Proxy Server (SPS)
Agents, SharePoint Agents, Application Server Agents, ERP Agents,
Web Agent Option Pack, and Custom Agents are also not affected by
this vulnerability.
Risk Rating
CVE Identifier
Risk
CVE-2015-6853
High
CVE-2015-6854
High
Platform
All supported platforms
Affected Products
CVE-2015-6853 applies to the Domino web agent with the following
versions:
CA Single Sign-On R6, R12, R12.0J, R12.5, R12.51, R12.52
CVE-2015-6854 applies to all web agents, except the Domino agent,
with the following versions:
CA Single Sign-On R6, R12, R12.0J, R12.5
Note: Secure Proxy Server (SPS) Agents, SharePoint Agents, Application
Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents
are not impacted by these vulnerabilities.
How to determine if the installation is affected
See the Solution section for the web agent fix version. Customers may
enable and examine the web agent log to determine the version.
Solution
Customers running R6 agents should update to a web agent from CA
SSO R12.0 SP3 CR13, R12.0J SP3 CR1.2, R12.5 CR5, R12.51 CR4, or
R12.52 SP1 CR3.
Fix table for CVE-2015-6853
Web Agent Version - Fix Version
R12.0 Domino web agent - R12.0 SP3 CR13
R12.0J Domino web agent - R12.0J SP3 CR1.2
R12.5 Domino web agent - R12.5 CR5
R12.51 Domino web agent - R12.51 CR4
R12.52 Domino web agent - R12.52 SP1 CR3
Fix table for CVE-2015-6854
Web Agent Version - Fix Version
R12.0 web agents except the Domino web agent - R12.0 SP3 CR13
R12.0J web agents except the Domino web agent - R12.0J SP3 CR1.2
R12.5 web agents except the Domino web agent - R12.5 CR5
R12.51 web agents except the Domino web agent - Not affected
R12.52 web agents except the Domino web agent -Not affected
References
CVE-2015-6853 - Single Sign-On Domino web agent denial of service,
information disclosure
CVE-2015-6854 - Single Sign-On web agent (non-Domino) denial of
service, information disclosure
Acknowledgement
CVE-2015-6853, CVE-2015-6854 - Michael Brooks of BishopFox
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com
Security Notices and PGP key
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Regards,
Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team
Copyright (c) 2016 CA. All Rights Reserved. One CA Plaza, Islandia,
N.Y. 11749. All other trademarks, trade names, service marks, and
logos referenced herein belong to their respective companies.