Support Content Notification - Support Portal

CA20190117-01: Security Notice for CA Service Desk Manager

Product/Component

Notification Id

1857

Last Updated

17 January 2019

Initial Publication Date

08 August 2016

Status

OPEN

Severity

CVSS Base Score

WorkAround

Affected CVE

Issued: January 17, 2019

Last Updated: January 17, 2019

CA Technologies Support is alerting customers to multiple potential risks with CA Service Desk Manager. Multiple vulnerabilities exist that can allow a remote attacker to access sensitive information or possibly gain additional privileges. CA published solutions to address the vulnerabilities.

The first vulnerability, CVE-2018-19634, is due to how survey access is implemented. A malicious actor can access and submit survey information without authentication.

The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges.

Risk Rating

High

Platform(s)

All platforms

Affected Products

CA Service Desk Manager 14.1

CA Service Desk Manager 17

How to determine if the installation is affected

CA Service Desk Manager r14.1:

Versions prior to 14.1.05.1 are vulnerable.

CA Service Desk Manager r17 Windows:

Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in the solution section are vulnerable

CA Service Desk Manager r17 Linux:

Versions prior to 17.1.0.2 are vulnerable

Solution

CA Technologies published the following solutions to address the vulnerabilities.

CA Service Desk Manager r14.1:

Update to CA Service Desk Manager 14.1.05.1. The rollup patches are available on the CA Service Desk Manager 14.1 Solutions & Patches page.

Windows - SO05733

Sun - SO05716

Linux - SO05715

CA Service Desk Manager R17 Linux:

Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions & Patches page.

CA Service Desk Manager R17 Windows:

Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the corresponding language patch for the Service Desk Manager installation. All fixes are available on the CA Service Desk Manager 17.1 Solutions & Patches page.

Chinese - SO06055

English - SO06036

French - SO06051

French Canadian - SO06039

German - SO06037

Italian - SO06052

Japanese - SO06053

Portuguese - SO06054

Spanish - SO06038

References

CVE-2018-19634 - CA Service Desk Manager survey access

CVE-2018-19635 - CA Service Desk Manager privilege escalation

Acknowledgement

CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep

Change History

Version 1.0: 2019-01-17 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.