Support Content Notification - Support Portal

CA20220616-01: Security Notice for CA Clarity

Product/Component

Clarity PPM On Premise

0 more products

Notification Id

20645

Last Updated

16 June 2022

Initial Publication Date

16 June 2022

Status

OPEN

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CA20220616-01: Security Notice for CA Clarity

Issued: June 16th, 2022

CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Clarity. A vulnerability exists that can allow a remote attacker to access sensitive data. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

The vulnerability, CVE-2022-33739, occurs due to insecure XML parsing. A remote attacker can potentially view the contents of any file on the system.

Risk Rating

CVE-2022-33739 - Medium

Platform(s)

All

Affected Products

CA Clarity 15.8 and below
CA Clarity 15.9.0

Non-Affected Products

CA Clarity 15.8.1 and above
CA Clarity 15.9.0.1 and above

How to determine if the installation is affected

Check the product version and hotfix level.
https://knowledge.broadcom.com/external/article/190147/how-to-determine-the-current-version-of.html

Solution

CA Technologies published the following solutions to address the vulnerabilities:

Upgrade to 15.9.0.1 or later.

The latest release is Clarity 16.0.2.

How to determine if the fix is applied

Check the product version and hotfix level.
https://knowledge.broadcom.com/external/article/190147/how-to-determine-the-current-version-of.html

References

CVE-2022-33739 - CA Clarity XXE vulnerability

Acknowledgement

CVE-2022-33739 - Michał Skowron (ING Hubs Poland)

Change History

Version 1.0: 2022-06-16 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.