CA20150407-01: Security Notice for CA Spectrum
Issued: April 07, 2015
CA Technologies Support is alerting customers to multiple potential risks with CA Spectrum. Two vulnerabilities exist that can potentially allow a remote authenticated attacker to gain sensitive information or escalate privileges.
The first issue is a stored cross-site scripting vulnerability, CVE-2015-2827, which occurs due to insufficient validation of requests. An authenticated remote attacker can potentially execute script with increased privileges.
The second issue, CVE-2015-2828, occurs due to insufficient validation of data sent using serialized Java objects. A remote authenticated attacker can potentially gain administrative privileges on the host.
CA Spectrum 9.2.x
CA Spectrum 9.3, 9.3 H01
CA Spectrum 9.3 H02 and newer releases
CA Spectrum 9.4 and newer releases
How to determine if the installation is affected
Use one of the below methods to find the CA Spectrum product version:
- CA OneClick Console: Click on Help -> About
- Open the Spectrum Console Panel on the SpectroServer and click on Help -> About
- On SpectroServer: Go to the Spectrum install directory, open the .installrc file and find the VERSION
CA Spectrum 9.2.x:
Update to CA Spectrum 9.3 H02, 9.4 or the latest available release
CA Spectrum 9.3, 9.3 H01:
Update to CA Spectrum 9.3 H02 or the latest available release
CVE-2015-2827 - Spectrum stored cross-site scripting vulnerability
CVE-2015-2828 - Spectrum serialized Java object privilege escalation
CVE-2015-2827, CVE-2015-2828 - Neil Jones, NCC Group
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies Support at https://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team