CA20110720-01: Security Notice for CA Gateway Security and Total Defense
Issued: July 20, 2011
CA Technologies support is alerting customers to a security risk with CA Gateway Security. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued an update that resolves the vulnerability.
The vulnerability, CVE-2011-2667, occurs due to insufficient bounds checking that can result in a memory overwrite on the heap. By sending a malformed request, an attacker can overwrite a sensitive portion of heap memory, which can potentially result in server compromise.
CA Gateway Security 8.1
CA Total Defense r12
CA Gateway Security 9.0
How to determine if the installation is affected
From the CA Gateway Security Management Console, select About to view version information. If the version displayed is less than 220.127.116.11, the installation is vulnerable.
Gateway Security r8.1:
Apply fix RO32642
Alternatively, update to Gateway Security 9.0 available from the CA support site.
CVE-2011-2667 - Gateway Security memory corruption
CVE-2011-2667 - Andrea Micalizzi via the TippingPoint ZDI
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.