Issued: March 04, 2010
Last Updated: March 25, 2010
CA's support is alerting customers to a security risk with CA SiteMinder. Multiple cross site scripting (XSS) vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information. CA has provided guidance to remediate the vulnerability.
The vulnerabilities, CVE-2009-3731, are due to insufficient validation of input strings. An attacker can potentially steal network domain credentials by enticing a user to visit a web page that contains malicious content.
Red Hat Linux
CA SiteMinder 6.0 (SP4 and earlier)
How to determine if the installation is affected
The vulnerability is caused by an issue with the publishing tool used to create the online help and HTML documentation for older CA SiteMinder releases (6.0 SP4 all CRs and earlier). CA stopped using this publishing tool beginning with SiteMinder 6.0 SP5.
This vulnerability affects CA SiteMinder in the following ways:
In both cases, this vulnerability applies if web access to the associated web servers has been configured to make use of non-public (client-specific) information.
CVE-2009-3731 - WebWorks Help XSS
CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net)
Version 1.0: Initial Release
Version 1.1: Updated "How to determine if the installation is affected" and "Solution" sections.
If additional information is required, please contact CA Support at https://support.ca.com.
If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.