Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20150407-01: Security Notice for CA Spectrum

Issued: April 07, 2015

CA Technologies Support is alerting customers to multiple potential risks with CA Spectrum. Two vulnerabilities exist that can potentially allow a remote authenticated attacker to gain sensitive information or escalate privileges.

The first issue is a stored cross-site scripting vulnerability, CVE-2015-2827, which occurs due to insufficient validation of requests. An authenticated remote attacker can potentially execute script with increased privileges.

The second issue, CVE-2015-2828, occurs due to insufficient validation of data sent using serialized Java objects. A remote authenticated attacker can potentially gain administrative privileges on the host.

Risk Rating

High

Platform

All

Affected Products

CA Spectrum 9.2.x
CA Spectrum 9.3, 9.3 H01

Unaffected Products

CA Spectrum 9.3 H02 and newer releases
CA Spectrum 9.4 and newer releases

How to determine if the installation is affected

Use one of the below methods to find the CA Spectrum product version:

  1. CA OneClick Console: Click on Help -> About
  2. Open the Spectrum Console Panel on the SpectroServer and click on Help -> About
  3. On SpectroServer: Go to the Spectrum install directory, open the .installrc file and find the VERSION

Solution

CA Spectrum 9.2.x:
Update to CA Spectrum 9.3 H02, 9.4 or the latest available release

CA Spectrum 9.3, 9.3 H01:
Update to CA Spectrum 9.3 H02 or the latest available release

References

CVE-2015-2827 - Spectrum stored cross-site scripting vulnerability
CVE-2015-2828 - Spectrum serialized Java object privilege escalation

Acknowledgement

CVE-2015-2827, CVE-2015-2828 - Neil Jones, NCC Group

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.