CA20160627-01: Security Notice for Release Automation - CA Technologies
{{search ? 'Close':'Search'}}

CA20160627-01: Security Notice for Release Automation

Issued: June 27, 2016
Last Updated: June 27, 2016

CA Technologies Support is alerting customers to multiple potential risks with CA Release Automation. Three vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information or cause a denial of service condition. CA has fixes available.

The first vulnerability, CVE-2015-7370, occurs due to the inclusion of a vulnerable 3rd party component, Open Flash Chart. A remote attacker can conduct cross-site scripting attacks. CA technologies assigned a Medium risk rating to this vulnerability.

The second vulnerability, CVE-2015-8698, occurs due to insufficient verification of requests to the web server, which can lead to limited XML external entity attacks. An authenticated attacker in the local network can potentially gain sensitive information or cause a denial of service condition. CA technologies assigned a Medium risk rating to this vulnerability.

The third vulnerability, CVE-2015-8699, occurs due to insufficient verification of requests to the web interface, which leads to multiple reflected cross-site scripting vulnerabilities and one stored cross-site scripting vulnerability. CA technologies assigned a Medium risk rating to these vulnerabilities.

Risk Rating

CVE Identifier Risk Vulnerable Releases
CVE-2015-7370 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004
CVE-2015-8698 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004
CVE-2015-8699 Medium CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004

Platform(s)

All platforms

Affected Products

CA Release Automation (formerly CA LISA Release Automation) prior to and including 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004

How to determine if the installation is affected

Customers may check the build number of their RA installation at the Help->About menu option at the ROC web application. 

Customers may also determine which fixes are applied by looking at the Fix_Maintenance directory.

Windows example:
C:Program FilesCALISAReleaseAutomationServerFix_Maintenance

Linux, Solaris example:
/opt/LISAReleaseAutomationServer/Fix_Maintenance

If the installed product Fix build is less than the build number in the below table, the installation is vulnerable.

Product release Fix build
CA Release Automation 6.1.0 6.1.0-1026
CA Release Automation 5.5.1 5.5.1-1616
CA Release Automation 5.5.2 5.5.2-434
CA Release Automation 5.0.2 5.0.2-227

Solution

CA Technologies has issued the following updates to address the vulnerabilities.

CA Release Automation 6.1.0:
Update to CA Release Automation 6.1.0-1026 or later

CA Release Automation 5.5.1:
Update to CA Release Automation 5.5.1-1616 or later

CA Release Automation 5.5.2:
Update to CA Release Automation 5.5.2-434 or later

CA Release Automation 5.0.2:
Update to CA Release Automation 5.0.2-227 or later

References

CVE-2015-7370 - Open Flash Chart XSS
CVE-2015-8698 - Release Automation XXE
CVE-2015-8699 - Release Automation multiple XSS

Acknowledgement

CVE-2015-7370, CVE-2015-8698, CVE-2015-8699 - Marcin Wołoszyn, ING

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing