Change Download Preference

Current Preference
Change Preference to:


CA BrightStor Hierarchical Storage Manager CsAgent
Security Notice

Last Updated: September 26, 2007

CA's technical support is alerting customers to security risks in BrightStor Hierarchical Storage Manager. Multiple vulnerabilities exist in the CsAgent service that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerabilities.

The first set of vulnerabilities, CVE-2007-5082, occur due to insufficient bounds checking with multiple CsAgent service commands.

The second set of vulnerabilities, CVE-2007-5083, occur due to insufficient validation of integer values with multiple CsAgent service commands, which can lead to buffer overflow.

The third set of vulnerabilities, CVE-2007-5084, occur due to insufficient validation of strings used in SQL statements in multiple CsAgent service commands.

An attacker can potentially execute arbitrary code and gain control of a host running Hierarchical Storage Manager.

Risk Rating


Affected Products

CA BrightStor Hierarchical Storage Manager r11.5

How to determine if the installation is affected

Run the BrightStor HSM Administrator GUI and open Help->About from the toolbar to view the version. If the version is less than 11.6, the installation is vulnerable.


CA has provided an update to address the vulnerabilities. Upgrade to BrightStor Hierarchical Storage Manager r11.6.

BrightStor Hierarchical Storage Manager r11.6:




CVE-2007-5082 - Multiple buffer overflows
CVE-2007-5083 - Multiple integer overflows
CVE-2007-5084 - Multiple SQL injection issues


CVE-2007-5082 - An anonymous researcher working with the iDefense VCP, Aaron Portnoy of DV Labs (
CVE-2007-5083 - Sean Larsson, iDefense Labs
CVE-2007-5084 - Aaron Portnoy of DV Labs (

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technical Support at

If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form at