Issued: January 07, 2009
CA's support is alerting customers to a security risk associated with CA Service Metric Analysis and CA Service Level Management. A vulnerability exists that can allow a remote attacker to execute arbitrary commands. CA has issued patches to address the vulnerability.
The vulnerability, CVE-2009-0043, is due to insufficient access restrictions associated with the smmsnmpd service. A remote attacker can exploit this vulnerability to execute arbitrary commands in the context of the service.
CA Service Level Management 3.5
CA Service Metric Analysis r11.0
CA Service Metric Analysis r11.1
CA Service Metric Analysis r11.1 SP1
How to determine if the installation is affected
CA has issued the following patches to address the vulnerabilities.
CA Service Level Management 3.5:
CA Service Metric Analysis r11.0:
CA Service Metric Analysis r11.1,
CA Service Metric Analysis r11.1 SP1:
The only workaround is to disable the smmsnmpd Windows service in the "services.msc" application. However, doing so will also disable all SNMP based metric data collections if they are being collected.
CVE-2009-0043 - SMA smmsnmpd command execution
CVE-2009-0043 - Michel Arboi of Tenable Network Security
Version 1.0: Initial Release
If additional information is required, please contact CA Support at https://support.ca.com/.
If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.