Published:
December 09 2011, 07:33 AM
|
3 Comment(s)
by
Ken Williams
Today we published a security notice and fixes to address a medium risk, publicly known vulnerability in CA SiteMinder. The vulnerability, CVE-2011-4054,
occurs due to insufficient validation of postpreservationdata parameter input
utilized in the login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser. Vulnerability details were first publicized by CERT on 2011-12-07 in US-CERT Vulnerability Note VU#713012 - CA Siteminder login.fcc form xss vulnerability. We are not aware of any active exploitation, and due to the lower risk, we do not anticipate any widespread exploitation. Note that fixes are currently available only for SiteMinder R12. Fixes for SiteMinder R6 should be available in January 2012.
CA20111208-01: Security
Notice for CA SiteMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A7DA8AC2-E9B4-4DDE-B828-098E0955A344}
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA Technologies.
By: Ken Williams
Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst...
Read More..
By: Kevin Kotas
Kevin Kotas is an Engineering Services Architect with the CA Product Vulnerability Response Team. He has over eleven years of vulnerability management experience and discovered several vulnerabilities in products from multiple major software providers. Kevin holds a B.S. degree in Computer Science from...
Read More..
Published:
August 12 2011, 03:25 PM
|
no comments
by
Ken Williams
On August 9, 2011, we published a security notice and fix to address a high risk vulnerability in ARCserve D2D r15. The vulnerability, CVE-2011-3011, is due to improper session handling. A remote attacker can potentially access credentials and execute arbitrary commands. Vulnerability and exploit details were originally disclosed on BugTraq on July 26, 2011, and CA was not contacted prior to the public disclosure. We are not aware of any active exploitation at this time, but we do anticipate activity because of the public disclosure of exploit details.
CA20110809-01: Security Notice for CA ARCserve D2D
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={7D3ACC0F-6C01-4BE2-B5C0-C430CEB45BE6}
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA.
By: Ken Williams
Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst...
Read More..
Published:
July 26 2011, 02:30 PM
|
no comments
by
Ken Williams
CA Technologies is aware of ARCserve D2D vulnerability and exploit details that were posted to BugTraq on 2011-07-26. We're currently reviewing the information and will post an update after we have completed our initial investigation.
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com
The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA.
By: Ken Williams
Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst...
Read More..
By: Kevin Kotas
Kevin Kotas is an Engineering Services Architect with the CA Product Vulnerability Response Team. He has over eleven years of vulnerability management experience and discovered several vulnerabilities in products from multiple major software providers. Kevin holds a B.S. degree in Computer Science from...
Read More..