CA-TECH-INFO-DAMON

Announcement: Revised Authentication Feedback Messages in the CA PPM SaaS (On Demand) Portal

Discussion created by CA-TECH-INFO-DAMON Employee on Jul 17, 2017

Revisions to the wording of several on-screen messages have been made in the CA On Demand Portal when a user authentication attempt or a password recovery fails. These small changes have been made to mitigate potential user enumeration issues for failed authentication scenarios where valid usernames could have been obtained due to non-standard failed authentication messages that revealed subtle differences between valid and invalid usernames. While account credentials cannot be exploited due to existing portal controls, a malicious attack could possibly have leveraged this technique to validate guessed usernames and enumerate valid accounts.

 

To mitigate risks from such a vulnerability and subsequent spamming, social engineering, or other malicious activity, CA has implemented improvements. These changes have already been implemented in the recent July 2017 portal maintenance window.

 

No further action is required.

 

On behalf of all the dedicated teams that support your continued success in the cloud with CA PPM SaaS and other products, we thank you.

 

Kind Regards,

Damon E. Logiudice

Outcomes