CA20201215-01: Security Notice for CA Service Catalog


15 December 2020

15 December 2020



CA20201215-01: Security Notice for CA Service Catalog

Issued: December 15, 2020

Last Updated: December 15, 2020

CA Technologies, a Broadcom Company, is alerting customers to a risk with CA Service Catalog. A vulnerability can exist in a specific configuration that can potentially allow a remote attacker to cause a denial of service condition. CA published a solution and instructions to resolve the vulnerability.

The vulnerability, CVE-2020-29478, occurs due a default configuration setting that, if not modified during installation by customers, can allow a remote attacker to access and update configuration information that can result in a denial of service condition.

Risk Rating

CVE-2020-29478 - High



Affected Products

CA Service Catalog 17.2
CA Service Catalog 17.3

How to determine if the installation is affected

The Setup Utility login will allow the administrator to set the password if the administrator doesn’t set the password during installation.


The following solutions address the vulnerability.

CA Service Catalog 17.2:
Update to Service Catalog 17.2 RU10

CA Service Catalog 17.3:
Update to Service Catalog 17.3 RU2


The steps to mitigate this risk are:

  1. Customers should confirm that they set the password for the Setup Utility.
  2. After setting the password, restart the Catalog service "ServiceCatalog". 


CVE-2020-29478 - CA Service Catalog configuration access


CVE-2020-29478 - Felipe Restrepo

Change History

Version 1.0: 2020-12-15 Initial Release

CA customers may receive product alerts and advisories by subscribing to Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Product Security Incident Response Team.