CA20110510-01: Security Notice for CA eHealth
Issued: May 10, 2011
CA Technologies support is alerting customers to a security risk with CA eHealth. A vulnerability exists that may potentially allow an attacker to compromise web user security.
The vulnerability, CVE-2011-1899, occurs due to insufficient validation of sent request parameters. An attacker, who can convince a user to follow a carefully constructed link or view a malicious web page, can conduct various cross-site scripting attacks.
Note: The "Scan user input for potentially malicious HTML content" configuration option does not protect against this vulnerability.
CA eHealth 6.0.x
CA eHealth 6.1.x
CA eHealth 6.2.1
CA eHealth 6.2.2
How to determine if the installation is affected
Locate the following file on the respective platform:
|Platform ||File Path |
|Windows ||"%NH_HOME%extensionslocal42339.log" |
|Unix ||"$NH_HOME/extensions/local/42339.log" |
If the file is not present, the installation is vulnerable.
Customers may contact CA Technologies support to obtain a patch that resolves this issue. Request the patch for PRD 42339 when submitting the support ticket.
CVE-2011-1899 - eHealth cross-site scripting
CVE-2011-1899 - Tony Fogarty
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.