CA20111208-01: Security Notice for CA SiteMinder
Published:
December 09 2011, 07:33 AM
by
Ken Williams
Today we published a security notice and fixes to address a medium risk, publicly known vulnerability in CA SiteMinder. The vulnerability, CVE-2011-4054,
occurs due to insufficient validation of postpreservationdata parameter input
utilized in the login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser. Vulnerability details were first publicized by CERT on 2011-12-07 in US-CERT Vulnerability Note VU#713012 - CA Siteminder login.fcc form xss vulnerability. We are not aware of any active exploitation, and due to the lower risk, we do not anticipate any widespread exploitation. Note that fixes are currently available only for SiteMinder R12. Fixes for SiteMinder R6 should be available in January 2012.
CA20111208-01: Security
Notice for CA SiteMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A7DA8AC2-E9B4-4DDE-B828-098E0955A344}
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA Technologies.
By: Ken Williams
Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst...
Read More..
3 people have left comments: