CA20141215-01: Security Notice for CA LISA Release Automation - CA Technologies
{{search ? 'Close':'Search'}}

CA20141215-01: Security Notice for CA LISA Release Automation

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple vulnerabilities in CA Release Automation (formerly CA LISA Release Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery (CSRF) issue related to insufficient validation. A remote attacker can potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS) issue caused by insufficient input filtering. A remote attacker can execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused by insufficient input sanitization. An attacker with a non-privileged account could utilize a specially crafted query to access privileged information.

Risk Rating




Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the RA “About Automation Studio” page and check the displayed version. Patched systems will display version or later.

Alternatively, you can also see which fixes (you can see the fix folders) are applied by looking at the Fix_Maintenance directory.
Windows example:
C:Program FilesCALISAReleaseAutomationServerFix_Maintenance
Linux, Solaris example:


CA Technologies has issued the following fix to address the vulnerabilities.

CA Release Automation 4.7.1:
Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release Automation 4.7.1.




CVE-2014-8246 – Release Automation cross-site request forgery (CSRF)
CVE-2014-8247 – Release Automation cross-site scripting (XSS)
CVE-2014-8248 – Release Automation SQL injection


CVE-2014-8246 – Lukasz Plonka, Julian Horoszkiewicz
CVE-2014-8247 – Julian Horoszkiewicz
CVE-2014-8248 – Lukasz Plonka

Change History

v1.0: 2014-12-15, Initial Release

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at

CA Technologies Product Vulnerability Response Team PGP Key

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{}} will be helping you today.

    View Profile

  • Transfered to {{}}

    {{}} joined the conversation

    {{}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1]}} has ended.
    Thank you for your interest in CA.

    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

agent is typing