Support Content Notification - Support Portal

CA20180328-01: Security Notice for CA API Developer Portal

Product/Component

Notification Id

1848

Last Updated

28 March 2018

Initial Publication Date

28 March 2018

Status

OPEN

Severity

CVSS Base Score

WorkAround

Affected CVE

Issued: March 28, 2018
Last Updated: March 28, 2018

CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist that can allow a remote attacker to conduct cross-site scripting attacks.

The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns profile picture management which can allow a remote attacker to conduct stored cross-site scripting attacks (CWE-79).

The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns the widgetID variable, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).

The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns how the apiExplorer handles requests, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).

Risk Rating

CVE Identifier	Risk Rating
CVE-2018-6586	Medium
CVE-2018-6587	Medium
CVE-2018-6588	Medium

Platform(s)

All supported platforms

Affected Products

CVE Identifier	Affected Product and Releases
CVE-2018-6586	CA API Developer Portal 3.5 GA through and including CR6
CVE-2018-6587	CA API Developer Portal 3.5 GA through and including CR6
CVE-2018-6588	CA API Developer Portal 3.5 GA through and including CR5

*CA API Developer Portal was formerly called CA Layer 7 API Portal

Unaffected Products

CA API Developer Portal 4 and newer releases

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find the product version and then use the table in the Affected Products section to determine if the installation is vulnerable.

Solution

CA Technologies published the following solution to address the vulnerabilities.

CA API Developer Portal 3.5:

Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in this security notice.

CA API Management Solutions & Patches

References

CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS

Acknowledgement

CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas from Biznet Bilisim A.S.

Change History

Version 1.0: 2018-03-28 - Initial Release

CA will send a notification about this security notice to customers who are subscribed to CA Technologies’ Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in a CA Technologies product, please send a report to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices