Change Download Preference

Current Preference
Change Preference to:

Security Notice
Frequently Asked Questions

Last Updated: February 15, 2006

What is CAM/CAFT?

CAM is a messaging sub-component which provides a "store and forward" messaging framework for applications. A number of CA applications now use CAM for their messaging requirements. CAFT is an application, supplied with CAM, which utilises CAM for file transfers. CAFT is driven by messages it receives from CAM enabled applications.

I have a very large environment with hundreds / thousands of machines. How do I confirm which ones have this vulnerability?

With Unicenter Asset Management, upgrade the Application Definition component to the latest version. Based on version information regarding this vulnerability, you can design reports to provide this information.

Can we install the latest CAM /CAFT versions on top of any existing CAM /CAFT installation?

By design, CAM /CAFT is upwardly compatible, however please follow the instructions provided for each product to ensure a smooth upgrade.

Do we have to stop the products relying on CAM/CAFT before installing the upgrade?

The install process will take care of stopping and starting CAM . However, to minimize any disruption to applications that may be using CAM you may wish to shutdown those applications (please refer to the list of affected applications in the security notice) before installing the upgrade. After the upgrade, you will have to restart any applications that were closed by you or, indirectly, by the shutdown of CAM .

Can this patch be distributed using Unicenter Software Delivery (USD/SDO)?

Yes. Software delivery packages are available and included in each CAM fix. Simply follow the instructions included with each fix to register these packages to your USD server.

The installation/update of CAM will produce an install log which is captured in the output tab of the software delivery job. This can be used to verify the success, or otherwise, of the job.

Note: The USD package for CA Message Queuing uses SDRegister.exe on Windows to register the software packages. Please review the ReadMe.doc file that is included with each USD package for CA Message Queuing for the instructions on registering, delivering, and installing CA Message Queuing using USD.

Can this vulnerability be detected using Unicenter Asset Management (UAM/AMO)?

Yes. The latest Unicenter Asset Management definitions can be used to detect this vulnerability.

See the section on the main Security notice page which discusses downloading the UAM/AMO Definitions .

We are running Sun-Solaris 64 bit. Will the CA Message Queuing patch work with this version?


I have already installed a CAM/CAFT patch that addresses a security vulnerability, do I need to install these new patches?

Yes, whereas earlier patches corrected certain vulnerabilities, subsequent analysis revealed further ways of exploiting these vulnerabilities that we needed to address. The latest patches address all known ways of exploiting these vulnerabilities.

How would I know that CAM is the subject of a Denial of Service (DoS) attack? In other words, how would I tell that CAM was possibly under attack?

If CAM was the subject of a DoS attack on its TCP port then you would find that it would no longer accept new TCP connections. E.g. if you tried to run the camstat command, it would fail to connect to CAM, even though CAM was running. You would see a message similar to the following:-

camstat: select failed (15) Unable to connect to CAM server

This sort of message can be produced under legitimate conditions if the CAM server is very busy so another test would be to run the camstat command from a remote machine to this machine to see if it also fails, another indication of a possible DoS situation. E.g. running the following command on a remote machine should work

camstat <affected_machine_name>

However, a more accurate indicator would be a high CPU utilisation in CAM .

Does the new CAM update that addresses the problem of the CAM vulnerabilities require a reboot of the OS?

Application of the CAM update should not require a reboot provided that all applications which depend upon CAM have been shutdown (please refer to the list of affected applications in the security notice). The upgrade will mark any files which are in-use for replacement at the next reboot. Please review the product specific pages for any additional upgrade details.

Are there Master Image updates for the CAM / CAFT Vulnerability patch?

Yes. Check the appropriate product support page for image update patches available for download via SupportConnect.

We have instances of the cam.exe (or camf on Unix) module residing in directories other than the one in which CAM is installed...are they the same?

There is only one install of CAM on a system. Its location is determined as follows:-

Windows: the install location is specified by the %CAI_MSQ% environment variable
Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location

Some CA products contain copies of CAM for the purposes of sharing or distributing to other systems. Other products may contain CAM installs which will be activated if relevant functionality is enabled. In those case a CAM install is initiated which will establish if the installed CAM needs to be upgraded. In these situations, please be sure to follow the product specific links above.