Vulnerability Note VU#619988

Computer Associates Message Queuing software vulnerable to buffer overflows

Original Release date: 23 Aug 2005 | Last revised: 21 Oct 2005

Overview

Computer Associates Message Queuing software contains buffer overflow conditions, which may allow a remote attacker to execute arbitrary code with elevated privileges.

Description

Computer Associates Message Queuing (CAM / CAFT) is a software component that provides messaging services. CAM provides a "store and forward" messaging framework for applications, and CAFT is an application that utilizes CAM for file transfers. Multiple Computer Associates applications use CAM / CAFT for their messaging requirements. According to the Computer Associates SupportConnect document, the following applications use CAM / CAFT:

    AdviseIT 2.4
    Advantage™ Data Transport 3.0
    BrightStor® SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1
    BrightStor® Portal 11.1
    CleverPath™ OLAP 5.1
    CleverPath™ ECM 3.5
    CleverPath™ Predictive Analysis Server 2.0, 3.0
    CleverPath™ Aion 10.0
    eTrust™ Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1
    Unicenter Performance Management for OpenVMS r2.4 SP3
    Unicenter® Application Performance Monitor 3.0, 3.5
    Unicenter® Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1
    Unicenter® Data Transport Option 2.0
    Unicenter® Enterprise Job Manager 1.0 SP1, 1.0 SP2
    Unicenter® Jasmine 3.0
    Unicenter® Management for WebSphere MQ 3.5
    Unicenter® Management for Microsoft Exchange 4.0, 4.1
    Unicenter® Management for Lotus Notes/Domino 4.0
    Unicenter® Management for Web Servers 5, 5.0.1
    Unicenter® NSM 3.0, 3.1
    Unicenter® NSM Wireless Network Management Option 3.0
    Unicenter® Remote Control 6.0, 6.0 SP1
    Unicenter® Service Level Management 3.0, 3.0.1, 3.0.2, 3.5
    Unicenter® Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1
    Unicenter® TNG 2.1, 2.2, 2.4, 2.4.2
    Unicenter® TNG JPN 2.2

Computer Associates CAM / CAFT contains multiple buffer overflow conditions.

Impact

A remote attacker may be able to execute arbitrary code on the CAM / CAFT system with elevated privileges.

Solution

Upgrade or patch
Please see the Computer Associates SupportConnect notice for fix availability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Computer AssociatesAffected-23 Aug 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Computer Associates for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2005-2668
  • Date Public: 19 Aug 2005
  • Date First Published: 23 Aug 2005
  • Date Last Updated: 21 Oct 2005
  • Severity Metric: 13.13
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.