full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] CA20090123-01: Cohesion To

[Full-disclosure] CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

From: Williams, James K <James.Williams_at_nospam>
Date: Sat Jan 24 2009 - 18:37:32 GMT
To: <full-disclosure@lists.grok.org.uk>


Hash: SHA1

Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

CA Advisory Reference: CA20090123-01

CA Advisory Date: 2009-01-23

Reported By: n/a

Impact: A remote attacker can execute arbitrary commands.

Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion and products that contain CA Cohesion. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier.

Mitigating Factors: None

Severity: CA has given this vulnerability a Medium risk rating.

Affected Products:
CA Cohesion Application Configuration Manager 4.5 CA CMDB Application Server 11.1
Unicenter Service Desk 11.2

Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1

Affected Platforms:

Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5, CA CMDB Application Server 11.1,
Unicenter Service Desk 11.2:

https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search &se

How to determine if you are affected:

  1. Using Windows Explorer, locate the file "RELEASE-NOTES".
  2. By default, the file is located in the "C:\Program Files\CA\Cohesion\Server\server\" directory.
  3. Open the file with a text editor.
  4. If the version is less than 5.5.25, the installation is vulnerable.

Workaround: None

References (URLs may wrap):
CA Support:
CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40
Solution Document Reference APARs:
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By:
CVE References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending

Changelog for this advisory:
v1.0 - Initial Release

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82

Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team

CA, 1 CA Plaza, Islandia, NY 11749         

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved.


Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/