CA20160323-01: Security Notice for CA Single Sign-On Web Agents - CA Technologies
{{search ? 'Close':'Search'}}

CA20160323-01: Security Notice for CA Single Sign-On Web Agents

Issued: March 23, 2016
Last Updated: March 23, 2016

CA Technologies Support is alerting customers to potential risks with CA Single Sign-On (CA SSO), formerly known as CA SiteMinder. Michael Brooks of BishopFox alerted CA to vulnerabilities that can allow a remote attacker to cause a denial of service or possibly gain sensitive information. CA has fixes that address the vulnerabilities.

The first vulnerability, CVE-2015-6853, occurs due to insufficient verification of requests in the CA SSO Domino web agent. A remote attacker can make a request that could result in a crash or the disclosure of sensitive information. CA has assigned this vulnerability a High risk rating. Only CA SSO customers using the Domino web agent are affected by this vulnerability.

The second vulnerability, CVE-2015-6854, occurs due to insufficient verification of requests in all CA SSO web agents other than the Domino web agent. A remote attacker can make a request that could result in a crash or disclose sensitive information. CA has assigned this vulnerability a High risk rating. The web agents in CA SSO versions 12.51 and 12.52 are not affected by this vulnerability. Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are also not affected by this vulnerability.

Risk Rating

CVE Identifier Risk
CVE-2015-6853 High
CVE-2015-6854 High

Platform

All supported platforms

Affected Products

CVE-2015-6853 applies to the Domino web agent with the following versions:

CA Single Sign-On R6, R12, R12.0J, R12.5, R12.51, R12.52

CVE-2015-6854 applies to all web agents, except the Domino agent, with the following versions:

CA Single Sign-On R6, R12, R12.0J, R12.5

Note: Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are not impacted by these vulnerabilities.

How to determine if the installation is affected

See the Solution section for the web agent fix version. Customers may enable and examine the web agent log to determine the version.

Solution

Customers running R6 agents should update to a web agent from CA SSO R12.0 SP3 CR13, R12.0J SP3 CR1.2, R12.5 CR5, R12.51 CR4, or R12.52 SP1 CR3.

Fix table for CVE-2015-6853

Web Agent Version Fix Version
R12.0 Domino web agent R12.0 SP3 CR13
R12.0J Domino web agent R12.0J SP3 CR1.2
R12.5 Domino web agent R12.5 CR5
R12.51 Domino web agent R12.51 CR4
R12.52 Domino web agent R12.52 SP1 CR3

Fix table for CVE-2015-6854

Web Agent Version Fix Version
R12.0 web agents except the Domino web agent R12.0 SP3 CR13
R12.0J web agents except the Domino web agent R12.0J SP3 CR1.2
R12.5 web agents except the Domino web agent R12.5 CR5
R12.51 web agents except the Domino web agent Not affected
R12.52 web agents except the Domino web agent Not affected

Note: Customers should update SSO R6 web agents to a fixed R12.52, R12.51, or R12 agent version.

References

CVE-2015-6853 - Single Sign-On Domino web agent denial of service, information disclosure
CVE-2015-6854 - Single Sign-On web agent denial of service (non-Domino), information disclosure

Acknowledgement

CVE-2015-6853, CVE-2015-6854 - Michael Brooks of BishopFox

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.

Copyright (c) 2016 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing