Change Download Preference

Current Preference
Change Preference to:

CA20170504-01: Security Notice for CA Client Automation OS Installation Management

Issued: May 04, 2017
Last Updated: May 04, 2017

CA Technologies is alerting customers to a potential risk with CA Client Automation OS Installation Management. A vulnerability exists that can allow a local attacker to gain sensitive information on operating systems installations created by CA Client Automation OS Installation Management. A solution is available.

The vulnerability, CVE-2017-8391, occurs due to insecure storage of account credentials used by OS Installation Management during operating system installation. A local attacker can potentially access a sensitive file containing account credentials and decrypt a password. Depending on the privileges associated with the credentials, an attacker can potentially gain further access. This vulnerability only affects operating system installations created by CA Client Automation with OS Installation Management.

Risk Rating



Windows, Linux

Affected Products

Only CA Client Automation releases implementing OS Installation Management are vulnerable.

CA Client Automation r14.0, r14.0 SP1

CA Client Automation r12.9

CA Client Automation (formerly CA IT Client Manager) Release and Support Lifecycle Dates

How to determine if the installation is affected

Customers may review the technical document in the solution section to determine if any operating system installation created by CA Client Automation OS Installation Management is affected.


CA Technologies published the following solution to address the vulnerability.

CA Client Automation, all releases:

Follow the instructions in TEC1911981


CVE-2017-8391 - Client Automation OS Installation Management insecure password storage


CVE-2017-8391 - Christoph Falta

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.