Support Content Notification - Support Portal

CA20190212-01: Security Notice for CA Privileged Access Manager

Product/Component

Notification Id

1859

Last Updated

06 July 2020

Initial Publication Date

20 February 2019

Status

OPEN

Severity

CVSS Base Score

WorkAround

Affected CVE

Issued: February 12, 2019
Last Updated: February 20, 2019

CA Technologies Support is alerting customers to a potential risk with CA Privileged Access Manager. A vulnerability exists that can allow a remote attacker to access sensitive information or modify configuration. CA published solutions to address the vulnerabilities.

CVE-2019-7392 describes a vulnerability resulting from inadequate access controls for the components jk-manager and jk-status web service allowing a remote attacker to access the CA PAM Web-UI without authentication

Risk Rating

High

Platform(s)

All platforms

Affected Products

CA Privileged Access Manager 3.2.1 and prior releases
CA Privileged Access Manager 3.1.2 and prior releases
CA Privileged Access Manager 3.0.x

How to determine if the installation is affected

Customers may check the version of the product to determine if they are running a vulnerable release.

Solution

Updates are available on the CA Privileged Access Manager Solutions & Patches page.

CA Privileged Access Manager 3.2.1 and prior releases:
Update to CA Privileged Access Manager 3.2.2 or later

CA Privileged Access Manager 3.1.2 and prior releases:
Update to CA Privileged Access Manager 3.1.3 or later

CA Privileged Access Manager 3.0.x:
Contact CA support for guidance

References

CVE-2019-7392 - CA Privileged Access Manager jk-manager and jk-status access

Acknowledgement

CVE-2019-7392 - Bob Brust

Change History

Version 1.0: 2019-02-12 Initial Release

Version 2.0: 2019-02-20 - Added direct link to solution download page

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.