Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20100304-01: Security Notice for CA SiteMinder

Issued: March 04, 2010
Last Updated: March 25, 2010

CA's support is alerting customers to a security risk with CA SiteMinder. Multiple cross site scripting (XSS) vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information. CA has provided guidance to remediate the vulnerability.

The vulnerabilities, CVE-2009-3731, are due to insufficient validation of input strings. An attacker can potentially steal network domain credentials by enticing a user to visit a web page that contains malicious content.

Risk Rating

Low

Platforms

Windows
Solaris
HP-UX
Red Hat Linux

Affected Products

CA SiteMinder 6.0 (SP4 and earlier)

How to determine if the installation is affected

The vulnerability is caused by an issue with the publishing tool used to create the online help and HTML documentation for older CA SiteMinder releases (6.0 SP4 all CRs and earlier). CA stopped using this publishing tool beginning with SiteMinder 6.0 SP5.

This vulnerability affects CA SiteMinder in the following ways:

  • HTML versions of the product documentation for SiteMinder can be deployed on an individual system or through a web server. If product documentation has been deployed on a web server the SiteMinder 6.0 installation is vulnerable.

  • Online help systems for SiteMinder are deployed and accessible through a web server. This vulnerability applies to help systems.

In both cases, this vulnerability applies if web access to the associated web servers has been configured to make use of non-public (client-specific) information.

Solution

CA SiteMinder:

  • Upgrade Policy Servers to the latest service pack for SiteMinder 6.0. Remove older versions of the product documentation from your servers.

    Before you upgrade your Policy Server, the following directories will contain a \wwhelp subdirectory:

    The \wwhelp subdirectory contains files that are involved in the vulnerability.

    You can confirm your upgrade has resolved the vulnerability by verifying that directories no longer contain the \wwhelp subdirectory.

    or

  • Administrative UI Help:

    <policy server home>\admin\help

  • Policy Server Management Console Help:

    <policy server home>\bin\smconsole-help

  • SiteMinder Test Tool Help:

    <policy server home>\bin\smtest-help

  • For Integrated Document sets, if you have deployed the HTML version of documentation to a web server, move the documentation to a file server and delete the documentation from the web server.

  • For Online Help systems, remove the help systems from the application folders and place them on a file system for future reference. Note that this will cause help links to fail in the associated applications.

    The folders that contain help systems are:

  • Administrative UI Help:

    <policy server home>\admin\help

  • Policy Server Management Console Help:

    <policy server home>\bin\smconsole-help

  • SiteMinder Test Tool Help:

    <policy server home>\bin\smtest-help

References

CVE-2009-3731 - WebWorks Help XSS

Acknowledgement

CVE-2009-3731 - Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net)

Change History

Version 1.0: Initial Release
Version 1.1: Updated "How to determine if the installation is affected" and "Solution" sections.

If additional information is required, please contact CA Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.