==================================================================== CERT-Renater Note d'Information No. 2017/VULN008 _____________________________________________________________________ DATE : 13/01/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running CA Service Desk Manager versions 12.9, 14.1. ===================================================================== https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20170109-01-security-notice-for-ca-service-desk-manager.html ____________________________________________________________________ CA20170109-01: Security Notice for CA Service Desk Manager Issued: January 10, 2017 Last Updated: January 10, 2017 CA Technologies support is alerting customers to a potential risk with CA Service Desk Manager. A vulnerability exists in RESTful web services that can potentially allow a remote authenticated attacker to view or modify sensitive information. Fixes are available. The vulnerability, CVE-2016-10086, is due to incorrect permissions being applied to certain RESTful requests that can allow a malicious user to view or update task information. This vulnerability only affects CA Service Desk Manager installations with RESTful web services running. Risk Rating Medium Platform(s) Windows, Linux, Solaris, Aix Affected Products CA Service Desk Manager 12.9 CA Service Desk Manager 14.1 How to determine if the installation is affected If RESTful web services are installed, the product could be vulnerable. Please check if RESTful web services are installed and running. The following command on the server where Service Desk is installed can give the status of the RESTful web services: pdm_tomcat_nxd -c status -t REST If the status is Running, the product installation is vulnerable. Solution Product Version, Platform Fix 12.9, Windows RO93722 12.9, Linux RO93730 12.9, Solaris T52Y601 12.9, AIX T52Y602 14.1, Windows RO93720 14.1, Linux RO93721 14.1, Solaris T52Y593 14.1, AIX T52Y594 Note: Customers must request "T" fixes and non-English fixes from CA support. Published "RO" fixes can be downloaded from the Service Desk Manager product page on the "Solutions & Patches" sub-page. https://support.ca.com/ References CVE-2016-10086 - CA Service Desk Manager RESTful web services task vulnerability Acknowledgement CVE-2016-10086 - Bruno de Barros Bulle Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=3D177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================