CA20160627-01: Security Notice for Release Automation
1839
24 May 2019
24 May 2019
OPEN
Issued: June 27, 2016
Last Updated: June 27, 2016
CA Technologies Support is alerting customers to multiple potential risks with CA Release Automation. Three vulnerabilities exist that can allow a remote attacker to potentially gain sensitive information or cause a denial of service condition. CA has fixes available.
The first vulnerability, CVE-2015-7370, occurs due to the inclusion of a vulnerable 3rd party component, Open Flash Chart. A remote attacker can conduct cross-site scripting attacks. CA technologies assigned a Medium risk rating to this vulnerability.
The second vulnerability, CVE-2015-8698, occurs due to insufficient verification of requests to the web server, which can lead to limited XML external entity attacks. An authenticated attacker in the local network can potentially gain sensitive information or cause a denial of service condition. CA technologies assigned a Medium risk rating to this vulnerability.
The third vulnerability, CVE-2015-8699, occurs due to insufficient verification of requests to the web interface, which leads to multiple reflected cross-site scripting vulnerabilities and one stored cross-site scripting vulnerability. CA technologies assigned a Medium risk rating to these vulnerabilities.
Risk Rating
| CVE Identifier | Risk | Vulnerable Releases |
| CVE-2015-7370 | Medium | CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
| CVE-2015-8698 | Medium | CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
| CVE-2015-8699 | Medium | CA Release Automation versions prior to and including: 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004 |
Platform(s)
All platforms
Affected Products
CA Release Automation (formerly CA LISA Release Automation) prior to and including 5.0.2-193, 5.5.1-1613, 5.5.2-409, 6.1.0-1004
How to determine if the installation is affected
Customers may check the build number of their RA installation at the Help->About menu option at the ROC web application.
Customers may also determine which fixes are applied by looking at the Fix_Maintenance directory.
Windows example:
C:Program FilesCALISAReleaseAutomationServerFix_Maintenance
Linux, Solaris example:
/opt/LISAReleaseAutomationServer/Fix_Maintenance
If the installed product Fix build is less than the build number in the below table, the installation is vulnerable.
| Product release | Fix build |
| CA Release Automation 6.1.0 | 6.1.0-1026 |
| CA Release Automation 5.5.1 | 5.5.1-1616 |
| CA Release Automation 5.5.2 | 5.5.2-434 |
| CA Release Automation 5.0.2 | 5.0.2-227 |
Solution
CA Technologies has issued the following updates to address the vulnerabilities.
CA Release Automation 6.1.0:
Update to CA Release Automation 6.1.0-1026 or later
CA Release Automation 5.5.1:
Update to CA Release Automation 5.5.1-1616 or later
CA Release Automation 5.5.2:
Update to CA Release Automation 5.5.2-434 or later
CA Release Automation 5.0.2:
Update to CA Release Automation 5.0.2-227 or later
References
CVE-2015-7370 - Open Flash Chart XSS
CVE-2015-8698 - Release Automation XXE
CVE-2015-8699 - Release Automation multiple XSS
Acknowledgement
CVE-2015-7370, CVE-2015-8698, CVE-2015-8699 - Marcin Wołoszyn, ING
Change History
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.