On June 21, 2007 CA published a security notice to address multiple vulnerabilities in CA products that embed Ingres.
Title: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities
CA Vuln ID (CAID): 35450, 35451, 35452, 35453
CA Advisory Date: 2007-06-21
Reported By: NGSSoftware, and iDefense
Impact: Remote attackers can potentially execute arbitrary code.
Summary: Various CA products that embed Ingres products contain multiple vulnerabilities that can allow an attacker to potentially execute arbitrary code. CA has issued fixes, to address all of these vulnerabilities, for all supported CA products that may be affected.
1) Ingres controllable pointer overwrite vulnerability (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can potentially execute arbitrary code within the context of the database server.
2) Ingres remote unauthenticated pointer overwrite #2 (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]
Description: An unauthenticated attacker can exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server.
3) Ingres wakeup file overwrite (reported by NGSSoftware) [Ingres bug 115913, CVE-2007-3337, CAID 35451]
Description: The "wakeup" binary creates a file named "alarmwkp.def" in the current directory, truncating the file if it already exists. The "wakeup" binary is setuid "ingres" and world-executable. Consequently, an attacker can truncate a file with the privileges of the "ingres" user.
4) Ingres uuid_from_char stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: An attacker can pass a long string as an argument to uuid_from_char() to cause a stack buffer overflow and the saved returned address can be overwritten.
5) Ingres verifydb local stack overflow (reported by NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452]
Description: A local attacker can exploit a stack overflow in the Ingres verifydb utility duve_get_args function.
6) Communication server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code within the context of the communications server (iigcc.exe). This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2023.
7) Data Access/JDBC server heap corruption (reported by iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453]
Description: An attacker can execute arbitrary code or cause an access violation within the context of the Data Access server (iigcd.exe) in r3 and 2006 release 1 or the JDBC server in older releases. This only affects Ingres on the Windows operating system. Reported by iDefense as IDEF2022 and NGSSoftware as NGS00395.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a cumulative High risk rating.
Affected Products:
Advantage Data Transformer r2.2
AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
AllFusion Harvest Change Manager r7, r7.1
BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and Mainframe Linux)
BrightStor ARCserve Backup for Laptops and Desktops r11.5
BrightStor Enterprise Backup (Unix only) r10.5
BrightStor Storage Command Center r11.5
BrightStor Storage Resource Manager r11.5
CleverPath Aion Business Rules Expert r10.1
CleverPath Aion Business Process Monitoring r10.1
CleverPath Predictive Analysis Server r3
DocServer 1.1
eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
eTrust Audit r8 SP2
eTrust Directory r8.1
eTrust IAM Suite r8.0
eTrust IAM Toolkit r8.0, r8.1
eTrust Identity Manager r8.1
eTrust Network Forensics r8.1
eTrust Secure Content Manager r8
eTrust Single Sign-On r7, r8, r8.1
eTrust Web Access Control 1.0
Unicenter Advanced Systems Management r11
Unicenter Asset Intelligence r11
Unicenter Asset Management r11
Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11
Unicenter Database Command Center r11.1
Unicenter Desktop and Server Management r11
Unicenter Desktop Management Suite r11
Unicenter Enterprise Job Manager r1 SP3, r1 SP4
Unicenter Job Management Option r11
Unicenter Lightweight Portal 2
Unicenter Management Portal r3.1.1
Unicenter Network and Systems Management r3.0, r11
Unicenter Network and Systems Management - Tiered - Multi Platform r3.0 0305, r3.1 0403, r11.0
Unicenter Patch Management r11
Unicenter Remote Control 6, r11
Unicenter Service Accounting r11, r11.1
Unicenter Service Assure r2.2, r11, r11.1
Unicenter Service Catalog r11, r11.1
Unicenter Service Delivery r11.0, r11.1
Unicenter Service Intelligence r11
Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1, r11.2
Unicenter Software Delivery r11
Unicenter TNG 2.4, 2.4.2, 2.4.2J
Unicenter Workload Control Center r1 SP3, r1 SP4
Unicenter Web Services Distributed Management 3.11, 3.50
Wily SOA Manager 7.1
Affected Platforms:
All operating system platforms supported by the various CA products that embed Ingres. This includes Windows, Linux, and supported UNIX platforms.
Status and Recommendation:
CA recommends that customers apply the appropriate fix(es) listed on the Security Notice page: http://supportconnectw.ca.com/[...]/ingres_secnotice.asp
Workaround: None
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
CA SupportConnect Security Notice for these vulnerabilities:
Ingres Security Alert
http://supportconnectw.ca.com/public/[...]/ingresvuln_letter.asp
Important Security Notice for Customers Using Products That Embed Ingres
http://supportconnectw.ca.com/premium/[...]/ingres/ingres_secnotice.asp
CA Security Advisor posting:
CA Products That Embed Ingres Multiple Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778
CA Vuln ID (CAID): 35450, 35451, 35452, 35453
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35450
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35452
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35453
Ingres knowledge base document:
http://servicedesk.ingres.com/CAisd/[...]view.htmpl
Reported By: NGSSoftware, and iDefense
NGSSoftware Advisory:
http://www.ngssoftware.com/research/advisories/
iDefense Advisory:
Ingres Database Multiple Heap Corruption Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546
CVE References:
CVE-2007-3336, CVE-2007-3337, CVE-2007-3338, CVE-2007-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx