CA20160323-01: Security Notice for CA Single Sign-On Web Agents Issued: March 23, 2016 Last Updated: March 23, 2016 CA Technologies Support is alerting customers to potential risks with CA Single Sign-On (CA SSO), formerly known as CA SiteMinder. Michael Brooks of BishopFox alerted CA to vulnerabilities that can allow a remote attacker to cause a denial of service or possibly gain sensitive information. CA has fixes that address the vulnerabilities. The first vulnerability, CVE-2015-6853, occurs due to insufficient verification of requests in the CA SSO Domino web agent. A remote attacker can make a request that could result in a crash or the disclosure of sensitive information. CA has assigned this vulnerability a High risk rating. Only CA SSO customers using the Domino web agent are affected by this vulnerability. The second vulnerability, CVE-2015-6854, occurs due to insufficient verification of requests in all CA SSO web agents other than the Domino web agent. A remote attacker can make a request that could result in a crash or disclose sensitive information. CA has assigned this vulnerability a High risk rating. The web agents in CA SSO versions 12.51 and 12.52 are not affected by this vulnerability. Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are also not affected by this vulnerability. Risk Rating CVE Identifier Risk CVE-2015-6853 High CVE-2015-6854 High Platform All supported platforms Affected Products CVE-2015-6853 applies to the Domino web agent with the following versions: CA Single Sign-On R6, R12, R12.0J, R12.5, R12.51, R12.52 CVE-2015-6854 applies to all web agents, except the Domino agent, with the following versions: CA Single Sign-On R6, R12, R12.0J, R12.5 Note: Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are not impacted by these vulnerabilities. How to determine if the installation is affected See the Solution section for the web agent fix version. Customers may enable and examine the web agent log to determine the version. Solution Customers running R6 agents should update to a web agent from CA SSO R12.0 SP3 CR13, R12.0J SP3 CR1.2, R12.5 CR5, R12.51 CR4, or R12.52 SP1 CR3. Fix table for CVE-2015-6853 Web Agent Version - Fix Version R12.0 Domino web agent - R12.0 SP3 CR13 R12.0J Domino web agent - R12.0J SP3 CR1.2 R12.5 Domino web agent - R12.5 CR5 R12.51 Domino web agent - R12.51 CR4 R12.52 Domino web agent - R12.52 SP1 CR3 Fix table for CVE-2015-6854 Web Agent Version - Fix Version R12.0 web agents except the Domino web agent - R12.0 SP3 CR13 R12.0J web agents except the Domino web agent - R12.0J SP3 CR1.2 R12.5 web agents except the Domino web agent - R12.5 CR5 R12.51 web agents except the Domino web agent - Not affected R12.52 web agents except the Domino web agent -Not affected References CVE-2015-6853 - Single Sign-On Domino web agent denial of service, information disclosure CVE-2015-6854 - Single Sign-On web agent (non-Domino) denial of service, information disclosure Acknowledgement CVE-2015-6853, CVE-2015-6854 - Michael Brooks of BishopFox Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com Security Notices and PGP key https://support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2016 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.