CA Common Services Distributed Intelligence Architecture (DIA) Code Execution

2019.09.10
Credit: Kevin Kotas
Risk: High
Local: No
Remote: Yes
CWE: CWE-284


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20190904-01: Security Notice for CA Common Services Distributed Intelligence Architecture (DIA) Issued: September 4th, 2019 Last Updated: September 4th, 2019 CA Technologies, A Broadcom Company, is alerting customers to a potential risk with CA Common Services in the Distributed Intelligence Architecture (DIA) component. A vulnerability exists, CVE-2019-13656, that can allow a remote attacker to execute arbitrary code. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately. Risk Rating High Platform(s) All supported platforms Affected Products CA Common Components DIA CA Technologies products that bundle this software include: CA Client Automation 14 and later versions CA Workload Automation AE 11.3.5 and 11.3.6 How to determine if the installation is affected Customers should review the Solution section to determine whether the fix is present. CA Workload Automation Autosys: The Distributed Intelligence Architecture (DIA) that installs with the 11.3.5 and 11.3.6 C3 DVD is vulnerable. Solution CA published the following solutions to address the vulnerabilities. Fixes are available on the CA support site. CA Client Automation: Windows Solution: SO09605 Linux Solution: SO09633 CA Workload Automation Autosys: The following are the fixes published by the Workload Automation Autosys Product team for the vulnerability CVE-2019-13656 reported against Distributed Intelligence Architecture (DIA) shipped with C3 DVD. Windows Solution: SO09111 Linux Solution: SO09057 HP-UX Solution: SO09086 Solaris Solution: SO09084 AIX Solution: SO09085 Patch Validation The script applypatch.bat for Windows and applypatch.sh for Linux and Unix platforms when run should not produce any errors in its console output. The script starts the NSM services at the end of the patch application process. A successful patch application is manifested in the form of all services coming up successfully. References CVE-2019-13656 - Ca Common Services remote code execution Acknowledgement CVE-2019-13656 - Fredrik Ravne, Oslo Boers Change History Version 1.0: Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at ca.psirt <AT> broadcom.com Security Notices, PGP key, and disclosure policy and guidance www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Kevin Kotas CA Product Security Incident Response Team Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBXXK0LLZ6yOO9o8STAQgQBgf/UeZFiw6Ha+eEfAvDIx92DE+gglGuZB20 tc1POyvgJABJGBdyqE1aV+eYoTNhEIagD54Fkl0ZMJnwR2ZrTAdOPV/pOJa/F+z9 ajAv5Oikj2I5SH4MI0Az48ApyyD6y+zQjmu8wc5LH4LfuoujAGOIqF0s6OFMB+hl B8VDvqJuNvNalEdVFhNxUHfFjxhQaN0H1G9b98Mv9bnZJ/O60+9Kczff9O6m9y7U Dfaf0pUIqnsYxUVDk2LQ/ydoLji7QtttNXBQHS9zWIjlEkj90ZMleXozYiR6IiaV NRUpynhlzmJYf9oG0hdLD7WFXStFREf7atL7QDZuL4ar/Zz7+5xEng== =1Xi9 -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top