=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN346
_____________________________________________________________________

DATE                      : 21/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running CA Output Management Web Viewer version 11.0, 11.5.

======================================================================
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={DED5B724-B500-46DA-A855-B2AF457B5364}
______________________________________________________________________

CA20110420-02: Security Notice for CA Output Management Web Viewer

Issued: April 20, 2011

CA Technologies support is alerting customers to security risks associated
with CA Output Management Web Viewer. Two vulnerabilities exist that can
allow a remote attacker to execute arbitrary code. CA Technologies has
issued patches to address the vulnerabilities.

The vulnerabilities, CVE-2011-1719, are due to boundary errors in the
UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote
attacker can create a specially crafted web page to exploit the flaws
and potentially execute arbitrary code.


Risk Rating

High


Platform

Windows


Affected Products

CA Output Management Web Viewer 11.0
CA Output Management Web Viewer 11.5


How to determine if the installation is affected

If the end-user controls are at a version that is less than the versions
listed below, the installation is vulnerable.

File Name 	Version
UOMWV_HelperActiveX.ocx 	11.5.0.1
PPSView.ocx 	1.0.0.7


Solution

CA has issued the following patches to address the vulnerability.

CA Output Management Web Viewer 11.0:
Apply the RO29119 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).

CA Output Management Web Viewer 11.5:
Apply the RO29120 APAR, and then have end-users allow updated controls
to be installed (on next attempt to use impacted feature).


References

CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer Overflows


Acknowledgement

Dmitriy Pletnev, Secunia Research


Change History

Version 1.0: Initial Release


If additional information is required, please contact
CA Technologies Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability Response Team.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================