CA BrightStor Hierarchical Storage Manager CsAgent
Last Updated: September 26, 2007
CA's technical support is alerting customers to security risks in BrightStor Hierarchical Storage Manager. Multiple vulnerabilities exist in the CsAgent service that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities.
The first set of vulnerabilities, CVE-2007-5082, occur due to insufficient bounds checking with multiple CsAgent service commands.
The second set of vulnerabilities, CVE-2007-5083, occur due to insufficient validation of integer values with multiple CsAgent service commands, which can lead to buffer overflow.
The third set of vulnerabilities, CVE-2007-5084, occur due to insufficient validation of strings used in SQL statements in multiple CsAgent service commands.
An attacker can potentially execute arbitrary code and gain control of a host running Hierarchical Storage Manager.
CA BrightStor Hierarchical Storage Manager r11.5
How to determine if the installation is affected
Run the BrightStor HSM Administrator GUI and open Help->About from the toolbar to view the version. If the version is less than 11.6, the installation is vulnerable.
CA has provided an update to address the vulnerabilities. Upgrade to BrightStor Hierarchical Storage Manager r11.6.
BrightStor Hierarchical Storage Manager r11.6:
CVE-2007-5082 - Multiple buffer overflows
CVE-2007-5083 - Multiple integer overflows
CVE-2007-5084 - Multiple SQL injection issues
CVE-2007-5082 - An anonymous researcher working with the iDefense VCP, Aaron Portnoy of DV Labs (dvlabs.tippingpoint.com)
CVE-2007-5083 - Sean Larsson, iDefense Labs
CVE-2007-5084 - Aaron Portnoy of DV Labs (dvlabs.tippingpoint.com)
Version 1.0: Initial Release
If additional information is required, please contact CA Technical Support at https://support.ca.com.
If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at https://www.ca.com/us/securityadvisor/vulninfo/submit.aspx.