full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] CA20090123-01: Cohesion To

[Full-disclosure] CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)

From: Williams, James K <James.Williams_at_nospam>
Date: Tue Jan 27 2009 - 00:27:00 GMT
To: <full-disclosure@lists.grok.org.uk>


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities

CA Advisory Reference: CA20090123-01

CA Advisory Date: 2009-01-23

Reported By: n/a

Impact: Refer to the CVE identifiers for details.

Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion Application Configuration Manager. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier.

Mitigating Factors: None

Severity: CA has given these vulnerabilities a Medium risk rating.

Affected Products:
CA Cohesion Application Configuration Manager 4.5

Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1

Affected Platforms:
Windows

Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5:

RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search &se
archID=RO04648

How to determine if you are affected:

  1. Using Windows Explorer, locate the file "RELEASE-NOTES".
  2. By default, the file is located in the "C:\Program Files\CA\Cohesion\Server\server\" directory.
  3. Open the file with a text editor.
  4. If the version is less than 5.5.25, the installation is vulnerable.

Workaround: None

References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By:
n/a
CVE References:
CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending
http://osvdb.org/

Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products

Customers who require additional information should contact CA Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82

Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team

CA, 1 CA Plaza, Islandia, NY 11749         

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved.

-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFJflTMeSWR3+KUGYURAuRZAJ9b/W0ZyaFxIzBzf8bZO3Zra6ewJwCfXemr gwJHdqRMBFFV9awQRW1jIWo=
=UfZX
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/