CA Technologies Support is alerting customers to potential risks with CA Single Sign-On (CA SSO), formerly known as CA SiteMinder. Michael Brooks of BishopFox alerted CA to vulnerabilities that can allow a remote attacker to cause a denial of service or possibly gain sensitive information. CA has fixes that address the vulnerabilities.
The first vulnerability, CVE-2015-6853, occurs due to insufficient verification of requests in the CA SSO Domino web agent. A remote attacker can make a request that could result in a crash or the disclosure of sensitive information. CA has assigned this vulnerability a High risk rating. Only CA SSO customers using the Domino web agent are affected by this vulnerability.
The second vulnerability, CVE-2015-6854, occurs due to insufficient verification of requests in all CA SSO web agents other than the Domino web agent. A remote attacker can make a request that could result in a crash or disclose sensitive information. CA has assigned this vulnerability a High risk rating. The web agents in CA SSO versions 12.51 and 12.52 are not affected by this vulnerability. Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are also not affected by this vulnerability.
Read more at: CA20160323-01: Security Notice for CA Single Sign-On Web Agents - CA Technologies
List of vulnerability alerts: Vulnerability Alerts - View All - CA Technologies