Support Content Notification - Support Portal

CA20201215-01: Security Notice for CA Service Catalog

Product/Component

Notification Id

16810

Last Updated

15 December 2020

Initial Publication Date

15 December 2020

Status

CLOSED

Severity

High

CVSS Base Score

WorkAround

Affected CVE

CA20201215-01: Security Notice for CA Service Catalog

Issued: December 15, 2020

Last Updated: December 15, 2020

CA Technologies, a Broadcom Company, is alerting customers to a risk with CA Service Catalog. A vulnerability can exist in a specific configuration that can potentially allow a remote attacker to cause a denial of service condition. CA published a solution and instructions to resolve the vulnerability.

The vulnerability, CVE-2020-29478, occurs due a default configuration setting that, if not modified during installation by customers, can allow a remote attacker to access and update configuration information that can result in a denial of service condition.

Risk Rating

CVE-2020-29478 - High

Platform(s)

Windows

Affected Products

CA Service Catalog 17.2
CA Service Catalog 17.3

How to determine if the installation is affected

The Setup Utility login will allow the administrator to set the password if the administrator doesn’t set the password during installation.

Solution

The following solutions address the vulnerability.

CA Service Catalog 17.2:
Update to Service Catalog 17.2 RU10

CA Service Catalog 17.3:
Update to Service Catalog 17.3 RU2

Workaround

The steps to mitigate this risk are:

Customers should confirm that they set the password for the Setup Utility. https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/administering/configuring-ca-service-catalog/reconfigure-the-ca-service-catalog-computer-using-the-setup-utility.html
After setting the password, restart the Catalog service "ServiceCatalog".

References

CVE-2020-29478 - CA Service Catalog configuration access

Acknowledgement

CVE-2020-29478 - Felipe Restrepo

Change History

Version 1.0: 2020-12-15 Initial Release

CA customers may receive product alerts and advisories by subscribing to Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Product Security Incident Response Team.