CA20161109-01:  Security Notice for CA Unified Infrastructure Management

Issued:  November 09, 2016
Last Updated:  December 28, 2016

CA Technologies Support is alerting customers to three vulnerabilities in CA Unified Infrastructure Management (formerly CA Nimsoft).  The first vulnerability, CVE-2016-9165, involves insecure handling of sessions IDs.  A remote attacker can potentially acquire a session ID and bypass authentication or elevate privileges.  The second vulnerability, CVE-2016-9164, is a path traversal information disclosure vulnerability associated with the diag.jsp file.  A remote attacker can potentially access sensitive information.  The third vulnerability, CVE-2016-5803, is a path traversal information disclosure vulnerability associated with the download_lar.jsp file.  A remote attacker can potentially access sensitive information.  CA Technologies has assigned Medium and High risk ratings to these vulnerabilities.  Solutions are available.

Update 2016-12-28:  Unified Infrastructure Management 8.4 SP2 and 8.47 did not resolve CVE-2016-5803.  Upgrade to Unified Infrastructure Management 8.5 or later to completely resolve all three vulnerabilities.

Risk Rating

CVE-2016-9164 - Medium 
CVE-2016-9165 - Medium
CVE-2016-5803 - High

Platform(s)

All

Affected Products

CA Unified Infrastructure Management 8.47 and earlier (formerly CA Nimsoft Monitor)
CA Unified Infrastructure Management Snap (formerly CA Nimsoft Monitor Snap)

How to determine if the installation is affected

Check the installed product version.

Solution

Upgrade to CA Unified Infrastructure Management 8.5 or later.

Workaround

None

References

CVE-2016-9165 - CA UIM Session ID Vulnerability
CVE-2016-9164 - CA UIM diag.jsp Path Traversal Vulnerability
CVE-2016-5803 - CA UIM download_lar.jsp Path Traversal Vulnerability

Acknowledgement

CVE-2016-9165 - rgod working with Trend Micro's Zero Day Initiative
CVE-2016-9164 - rgod working with Trend Micro's Zero Day Initiative
CVE-2016-5803 - rgod working with Trend Micro's Zero Day Initiative

Change History

Version 1.0:  Initial Release, 2016-11-09
Version 2.0:  Updated Affected Products and Solution sections because 8.4 SP2 and 8.47 did not resolve CVE-2016-5803.  Upgrade to Unified Infrastructure Management 8.5 or later to completely resolve all three vulnerabilities.

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com.

CA Technologies Product Vulnerability Response Team PGP Key

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing