CA20130725-01: Security Notice for CA Service Desk Manager
Issued: July 25, 2013
CA Technologies Support is alerting customers to a potential risk with CA Service Desk Manager. A vulnerability exists that can allow a remote attacker to conduct cross-site scripting attacks. CA Technologies published patches to address the vulnerability.
The vulnerability, CVE-2013-2630, occurs due to insufficient verification of URL query string parameters. An attacker, who can have an unsuspecting user follow a carefully constructed URL, may perform various cross-site scripting attacks.
Windows, Sun, AIX, Linux
CA Service Desk Manager 12.5
CA Service Desk Manager 12.6
CA Service Desk Manager 12.7
How to determine if the installation is affected
Steps to identify the Service Desk Manager version and if the relevant patch is installed:
- Navigate to the $NX_ROOT directory on the Service Desk Server.
Note: NX_ROOT points to the Service Desk Manager installation directory which by default is
"C:Program FilesCAService Desk Manager" for Windows or "/opt/CAisd/" for Solaris, Aix, and Linux.
- Identify the Service Desk Manager application version using the following steps:
- Navigate to the "$NX_ROOTpdmconf" directory for Windows or "$NX_ROOT/pdmconf/" for Solaris, Aix, and Linux
- Locate the file with the name "version" and open it with a text editor.
- The version of Service Desk can be noted from the file (Example: Version r12.6).
- Locate the file <machine_name>.his under $NX_ROOT directory.
Note: The file may not exist if the Service Desk Manager server is unpatched.
- Open the file with a text editor and locate the patch based on the matrix below for the corresponding Service Desk Manager version and operating system:
An example entry found in the history file:
[DATE] - PTF Wizard installed RO59355 (USRD) RELEASE=12.7
- If the corresponding patch is not installed, then the installation might be vulnerable.
CA Technologies published the following patches to address the vulnerabilities.
CA Service Desk Manager 12.5 Windows:
CA Service Desk Manager 12.5 Sun:
CA Service Desk Manager 12.5 AIX:
CA Service Desk Manager 12.5 Linux:
CA Service Desk Manager 12.6 Windows:
CA Service Desk Manager 12.6 Sun:
CA Service Desk Manager 12.6 AIX:
CA Service Desk Manager 12.6 Linux:
CA Service Desk Manager 12.7 Windows:
CA Service Desk Manager 12.7 Sun:
CA Service Desk Manager 12.7 AIX:
CA Service Desk Manager 12.7 Linux:
CVE-2013-2630 - Puneeth Kumar R
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies Support at https://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.