Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20180829-02: Security Notice for CA Unified Infrastructure Management

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to multiple potential risks with CA Unified Infrastructure Management. Multiple vulnerabilities exist that can allow an attacker, who has access to the network on which CA UIM is running, to run arbitrary CA UIM commands on machines where the CA UIM probes are running.  An attacker can also gain access to other machines running CA UIM and access the filesystems of those machines.

The first vulnerability, CVE-2018-13819, has a medium risk rating and concerns a hardcoded secret key, which can allow an attacker to access sensitive information.

The second vulnerability, CVE-2018-13820, has a medium risk rating and concerns a hardcoded passphrase, which can allow an attacker to access sensitive information.

The third vulnerability, CVE-2018-13821, has a high risk rating and concerns a lack of authentication, which can allow a remote attacker to conduct a variety of attacks, including file reading/writing.

Risk Rating

Cumulative risk rating of High.

Platform(s)

All supported platforms

Affected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7

Unaffected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the solutions listed below applied.

How to determine if the installation is affected

Review the UIM Vulnerability Patch 1 documentation to determine if all appropriate patches have been applied.  Additionally, review KB000111575: CA UIM Best Practices For Secure Environments and CA UIM Best Practices for Securing Environments to mitigate CVE-2018-13821 to ensure that all best practices have been implemented.

Solution

Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM 8.4.7 to resolve these vulnerabilities.  Both solutions, UIM Vulnerability Patch 1, and UIM Best Practices for Secure Environments, must be implemented to effectively mitigate all three vulnerabilities.

-OR-

If you feel the best practice recommendations are insufficient for your specific security needs, please contact CA Support to install and configure the CA UIM Secure Bus 8.01.

Note: While the secured version of the message bus has additional security features (e.g. encrypting all UIM traffic from robot to hub), the implementation requires additional prerequisites (such as requiring user-provided, signed X.509 certificates) and may have reduced functionality compared to the standard message bus.

Customers running any End of Service (EOS) release are strongly advised to upgrade to version

8.5.1 and take the remediation actions listed above to resolve the vulnerabilities immediately. 

For the most up-to-date information about these CA Unified Infrastructure Management vulnerabilities, and for other important product information, please see the CA Unified Infrastructure Management Support page.

References

CVE-2018-13819 - CA UIM hardcoded secret key
CVE-2018-13820 - CA UIM hardcoded passphrase
CVE-2018-13821 - CA UIM lack of authentication

Acknowledgement

CVE-2018-13819 - Øystein Middelthun
CVE-2018-13820 - Øystein Middelthun
CVE-2018-13821 - Øystein Middelthun

Change History

Version 1.0: 2018-08-29 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices