|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
Title: CA20090107-01: CA Service Metric Analysis and CA Service Level Management smmsnmpd Arbitrary Command Execution Vulnerability
CA Advisory Reference: CA20090107-01
CA Advisory Date: 2009-01-07
Michel Arboi of Tenable Network Security
Impact: A remote attacker can execute arbitrary commands.
Summary: CA Service Metric Analysis and CA Service Level Management contain a vulnerability that can allow a remote attacker to execute arbitrary commands. CA has issued patches to address the vulnerability. The vulnerability, CVE-2009-0043, is due to insufficient access restrictions associated with the smmsnmpd service. A remote attacker can exploit this vulnerability to execute arbitrary commands in the context of the service.
Mitigating Factors: None
Severity: CA has given this vulnerability a High risk rating.
CA Service Level Management 3.5 CA Service Metric Analysis r11.0 CA Service Metric Analysis r11.1 CA Service Metric Analysis r11.1 SP1
Status and Recommendation:
CA has issued the following patches to address the vulnerabilities.
CA Service Level Management 3.5:
CA Service Metric Analysis r11.0:
CA Service Metric Analysis r11.1,
CA Service Metric Analysis r11.1 SP1:
How to determine if you are affected:
References (URLs may wrap):
CA20090107-01: Security Notice for CA Service Metric Analysis and CA Service Level Management
Solution Document Reference APARs:
RO04649, RO04653, RO04667
CA Security Response Blog posting:
CA20090107-01: CA Service Metric Analysis and CA Service Level Management smmsnmpd Arbitrary Command Execution Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2009/01/07.aspx Reported By:
Michel Arboi of Tenable Network Security http://www.tenablesecurity.com/
CVE-2009-0043 - SMA smmsnmpd command execution http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0043 OSVDB References: Pending
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.0 (Build 397)
-----END PGP SIGNATURE-----