{{search ? 'Close':'Search'}}

CA20170109-01: Security Notice for CA Service Desk Manager

Issued: January 10, 2017
Last Updated: January 12, 2017

CA Technologies support is alerting customers to a potential risk with CA Service Desk Manager. A vulnerability exists in RESTful web services that can potentially allow a remote authenticated attacker to view or modify sensitive information. Fixes are available.

The vulnerability, CVE-2016-10086, is due to incorrect permissions being applied to certain RESTful requests that can allow a malicious user to view or update task information. This vulnerability only affects CA Service Desk Manager installations with RESTful web services running.

Risk Rating

Medium

Platform(s)

Windows, Linux, Solaris, Aix

Affected Products

CA Service Desk Manager 12.9
CA Service Desk Management 14.1

How to determine if the installation is affected

If RESTful web services are installed, the product may be vulnerable. Please check if RESTful web services are installed and running. The following command on the server where Service Desk is installed can give the status of the RESTful web services. If the status is "Running", the product installation is vulnerable.

pdm_tomcat_nxd -c status -t REST

If the above command results in an error code such as "Unknown status <0> received for REST Tomcat", run the following command appropriate for the platform. If the result contains "RESTful Services", then the installation is vulnerable.

Windows
pdm_status |findstr /i RESTful

Non-Windows
pdm_status |grep /i RESTful

Example result of a vulnerable installation with RESTful Services running:

RESTful Services   (pdm_tomca  Running       <hostname>)

Solution

Note: Customers must open a support case to obtain the T fixes. Customers using non-English SDM installations must also contact CA support for guidance.

Published fixes can be downloaded from
https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-service-desk-manager-solutions-patches.html

Product Version

Platform

Fix

12.9      

Windows

RO93722

Linux

RO93730

Solaris

T52Y601

AIX

T52Y602

14.1

Windows

RO93720

Linux

RO93721

Solaris

T52Y593

AIX

T52Y594

References

CVE-2016-10086 - CA Service Desk Manager RESTful web services task vulnerability

Acknowledgement

CVE-2016-10086 - Bruno de Barros Bulle

Change History

Version 1.0: Initial Release
Version 2.0: 2017-01-12 - Updated and added additional instructions to the “How to determine if the installation is affected” section

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing