CA20220203-01: Security Notice for CA Harvest Software Change Manager

Issued: February 3rd, 2022

CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

The vulnerability, CVE-2022-22689, occurs due to insufficient input validation.  A privileged user can potentially execute arbitrary code or commands.

Risk Rating

CVE-2022-22689 - High

Platform(s)

Microsoft Windows, Linux, Linux s390x, Apple MacOS

Affected Products

CA Harvest Software Change Manager 13.0.3
CA Harvest Software Change Manager 13.0.4
CA Harvest Software Change Manager 14.0.0
CA Harvest Software Change Manager 14.0.1
Note: older, unsupported versions may be affected

How to determine if the installation is affected

For Harvest Workbench, check for “CA Harvest Software Change Manager Workbench” release number.
From Harvest workbench, Click on About > CA Harvest Software Change Manager Workbench
For 13.0.3 it would be 13.0.3.152
For 13.0.4 it would be 13.0.4.254
For 14.0.0 it would be 14.0.0.369
For 14.0.1 it would be 14.0.0.369

For Eclipse, check for “CA Harvest SCM Team Provider” feature version.
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a
For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or 13.0.4.254c
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a
For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a 

Solution

CA Technologies published the following solutions to address the vulnerabilities:

Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or 14.0.1.

Fixes are available at:
13.0.3 APAR 99111332
13.0.4 APAR 99111333
14.0.0 APAR 99111334
14.0.1 APAR 99111356

How to determine if the fix is applied

For Harvest Workbench, check for “CA Harvest SCM Workbench” feature name.
From Harvest Workbench, Click on About > CA Harvest Software Change Manager Workbench > Installation Details > Features
Feature name would be “CA Harvest SCM Workbench-Efix-V0001”

For Eclipse, check for “CA Harvest SCM Team Provider” feature version.
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features
For 13.0.3 it would be 13.0.3.152b
For 13.0.4 it would be 13.0.4.254d
For 14.0.0 it would be 14.0.0.369b
For 14.0.1 it would be 14.0.2.16

References

CVE-2022-22689 - CA Harvest Software Change Manager CSV injection vulnerability

Acknowledgement

CVE-2022-22689 - Merten Nagel of usd AG

Change History

Version 1.0: 2022-02-03 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.