Issued: July 21, 2016
Last Updated: July 21, 2016

CA Technologies Support is alerting customers to multiple potential risks with CA eHealth. Two vulnerabilities exist in the web interface, CVE-2016-6151 and CVE-2016-6152, that can allow a remote authenticated attacker to cause a denial of service condition or possibly execute arbitrary commands. CA technologies assigned a High risk rating to these vulnerabilities. CA has a solution available.

Risk Rating

Platform(s)

All

Affected Products

CA eHealth 6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x

How to determine if the installation is affected

Customers may check the build number by running the nhShowRev command

If the installed product Fix build is less than the release in the below table, the installation is vulnerable.

Solution

For all releases of CA eHealth, update to version 6.3.2.13 or later to resolve these vulnerabilities.

References

CVE-2016-6151 - CA eHealth 6.2.x remote denial of service/command execution
CVE-2016-6152 - CA eHealth 6.2.x, 6.3.x remote denial of service/command execution

Acknowledgement

CVE-2016-6151, CVE-2016-6152 - Ben Lincoln, NCC Group

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.