CA20180829-03: Security Notice for CA Release Automation
1855
30 August 2018
30 August 2018
OPEN
Issued: August 29, 2018
Last Updated: August 29, 2018
CA Technologies Support is alerting customers to a potential risk with CA Release Automation. A vulnerability exists that can allow an attacker to potentially execute arbitrary code.
The vulnerability, CVE-2018-15691, has a high risk rating and concerns insecure deserialization of a specially crafted serialized object, which can allow an attacker to potentially execute arbitrary code.
Risk Rating
High
Platform(s)
All supported platforms
Affected Products
CA Release Automation 6.3
CA Release Automation 6.4
CA Release Automation 6.5
Note: older, unsupported releases may be affected.
Unaffected Products
CA Release Automation 6.6
CA Release Automation 6.3.0.9945 or later
CA Release Automation 6.4.0.10119 or later
CA Release Automation 6.5.0.10080 or later
How to determine if the installation is affected
Check the build number with the Help->About menu option, or determine which fixes are applied by looking at the Fix_Maintenance directory.
Solution
CA Technologies published the following solutions to address the vulnerabilities.
CA Release Automation 6.3:
Apply Cumulative Fix build 9945 or later.
CA Release Automation 6.4:
Apply Cumulative Fix build 10119 or later.
CA Release Automation 6.5:
Apply Cumulative Fix build 10080 or later.
References
CVE-2018-15691 - CA Release Automation deserialization vulnerability
Acknowledgement
CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec
Change History
Version 1.0: 2018-08-29 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.