CA20160627-01: Security Notice for Release Automation
Issued: June 27, 2016
Last Updated: June 27, 2016
CA Technologies Support is alerting customers to multiple potential risks with CA Release Automation. Three vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information or cause a denial of service condition. CA has fixes available.
The first vulnerability, CVE-2015-7370, occurs due to the inclusion of a vulnerable 3rd party component, Open Flash Chart. A remote attacker can conduct cross-site scripting attacks. CA technologies assigned a Medium risk rating to this vulnerability.
The second vulnerability, CVE-2015-8698, occurs due to insufficient verification of requests to the web server, which can lead to limited XML external entity attacks. An authenticated attacker in the local network can potentially gain sensitive information or cause a denial of service condition. CA technologies assigned a Medium risk rating to this vulnerability.
The third vulnerability, CVE-2015-8699, occurs due to insufficient verification of requests to the web interface, which leads to multiple reflected cross-site scripting vulnerabilities and one stored cross-site scripting vulnerability. CA technologies assigned a Medium risk rating to these vulnerabilities.
|CVE Identifier ||Risk ||Vulnerable Releases |
|CVE-2015-7370 ||Medium ||CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
|CVE-2015-8698 ||Medium ||CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
|CVE-2015-8699 ||Medium ||CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
CA Release Automation (formerly CA LISA Release Automation) prior to and including 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004
How to determine if the installation is affected
Customers may check the build number of their RA installation at the Help->About menu option at the ROC web application.
Customers may also determine which fixes are applied by looking at the Fix_Maintenance directory.
Linux, Solaris example:
If the installed product Fix build is less than the build number in the below table, the installation is vulnerable.
|Product release ||Fix build |
|CA Release Automation 6.1.0 ||6.1.0-1026 |
|CA Release Automation 5.5.1 ||5.5.1-1616 |
|CA Release Automation 5.5.2 ||5.5.2-434 |
|CA Release Automation 5.0.2 ||5.0.2-227 |
CA Technologies has issued the following updates to address the vulnerabilities.
CA Release Automation 6.1.0:
Update to CA Release Automation 6.1.0-1026 or later
CA Release Automation 5.5.1:
Update to CA Release Automation 5.5.1-1616 or later
CA Release Automation 5.5.2:
Update to CA Release Automation 5.5.2-434 or later
CA Release Automation 5.0.2:
Update to CA Release Automation 5.0.2-227 or later
CVE-2015-7370 - Open Flash Chart XSS
CVE-2015-8698 - Release Automation XXE
CVE-2015-8699 - Release Automation multiple XSS
CVE-2015-7370, CVE-2015-8698, CVE-2015-8699 - Marcin Wołoszyn, ING
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.