Kyle_R

Tip: Receive "Proactive Notifications" for CA Service Management products

Discussion created by Kyle_R Employee on Jan 18, 2019
Latest reply on Jan 18, 2019 by Chris_Hackett

TIP

A reminder to sign up for "Proactive Notifications" if you are managing a CA product.

 

This email distribution list is used for important information, such as Hyper Notifications, like the current one attached to the end of this post.

 

Note that the Proactive Notifications are the recommended way to be notified of these important updates, as typically the CA Service Management community does NOT double-post the same content here.

 

STEPS

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Select "Critical Updates" (or more options) for your Products, and then "Submit" at the bottom right of the screen.

 

OTHER

The current patch for ITSM 17.1 Roll-up Patch 2 has been released. 

It is recommended to go to the current patch version, rather than one just sufficient to meet the minimum requirements of a Hyper patch.

CA Service Management 17.1 Roll-up Patch 2 (17.1.0.2) Released 

 

Thanks! Kyle_R.

 

________________________________________________________________

Example 

From: ProactiveNotifications@ca.com

CA - PROACTIVE NOTIFICATION - USRD - CRITICAL ALERT - CUSRD-100795

January 17, 2019

 

CA Service Desk Managercustomers, please review the following security notice.

 

For the latest version of this security notice, see

 

CA20190117-01: Security Notice for CA Service Desk Manager

 

CA20190117-01: Security Notice for CA Service Desk Manager

 

Issued: January 17, 2019

Last Updated: January 17, 2019

 

CA Technologies Support is alerting customers to multiple potential risks with CA Service Desk Manager. Multiple vulnerabilities exist that can allow a remote attacker to access sensitive information or possibly gain additional privileges. CA published solutions to address the vulnerabilities.

 

The first vulnerability, CVE-2018-19634, is due to how survey access is implemented. A malicious actor can access and submit survey information without authentication.

 

The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges.

 

Risk Rating

High

 

Platform(s)

All platforms

 

Affected Products

CA Service Desk Manager 14.1

CA Service Desk Manager 17

 

How to determine if the installation is affected

 

CA Service Desk Manager r14.1:

Versions prior to 14.1.05.1 are vulnerable.

 

CA Service Desk Manager r17 Windows:

Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in the solution section are vulnerable

 

CA Service Desk Manager r17 Linux:

Versions prior to 17.1.0.2 are vulnerable

 

Solution

CA Technologies published the following solutions to address the vulnerabilities.

CA Service Desk Manager r14.1:

Update to CA Service Desk Manager 14.1.05.1. The rollup patches are available on the CA Service Desk Manager 14.1 Solutions & Patches page.

Windows - SO05733

Sun - SO05716

Linux - SO05715

 

CA Service Desk Manager R17 Linux:

Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions & Patches page.

 

CA Service Desk Manager R17 Windows:

Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the corresponding language patch for the Service Desk Manager installation. All fixes are available on the CA Service Desk Manager 17.1 Solutions & Patches page.

 

Chinese - SO06055

English - SO06036

French - SO06051

French Canadian - SO06039

German - SO06037

Italian - SO06052

Japanese - SO06053

Portuguese - SO06054

Spanish - SO06038

 

References

CVE-2018-19634- CA Service Desk Manager survey access

CVE-2018-19635- CA Service Desk Manager privilege escalation

 

Acknowledgement

CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep

 

Change History

Version 1.0: 2019-01-17 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

 

Copyright © 2019 Broadcom. All Rights Reserved. The term Broadcom refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connectingeverything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

 

To unsubscribe from this service, please follow the link below:
https://support.ca.com/irj/portal/hyperSubscription

________________________________________________________________

Outcomes