Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to a potential risk with CA Release Automation.  A vulnerability exists that can allow an attacker to potentially execute arbitrary code. 

The vulnerability, CVE-2018-15691, has a high risk rating and concerns insecure deserialization of a specially crafted serialized object, which can allow an attacker to potentially execute arbitrary code. 

Risk Rating

High

Platform(s)

All supported platforms

Affected Products

CA Release Automation 6.3
CA Release Automation 6.4
CA Release Automation 6.5

Note:  older, unsupported releases may be affected.

Unaffected Products

CA Release Automation 6.6
CA Release Automation 6.3.0.9945 or later
CA Release Automation 6.4.0.10119 or later
CA Release Automation 6.5.0.10080 or later

How to determine if the installation is affected

Check the build number with the Help->About menu option, or determine which fixes are applied by looking at the Fix_Maintenance directory.

Solution

CA Technologies published the following solutions to address the vulnerabilities.

CA Release Automation 6.3:
Apply Cumulative Fix build 9945 or later.

CA Release Automation 6.4:
Apply Cumulative Fix build 10119 or later.

CA Release Automation 6.5:
Apply Cumulative Fix build 10080 or later.

References

CVE-2018-15691 - CA Release Automation deserialization vulnerability

Acknowledgement

CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec

Change History

Version 1.0: 2018-08-29 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices