CA Technologies Information for VU#343060

CA LISA Release Automation contains multiple vulnerabilities

Status

Affected

Vendor Statement

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple
vulnerabilities in CA Release Automation (formerly CA LISA Release
Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery
(CSRF) issue related to insufficient validation.  A remote attacker can
potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)
issue caused by insufficient input filtering.  A remote attacker can
execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused
by insufficient input sanitization.  An attacker with a non-privileged
account could utilize a specially crafted query to access privileged
information.

Risk Rating

Medium

Platform

Windows
Linux
Solaris

Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the
RA ‚€œAbout Automation Studio‚€Ě page and check the displayed version.
Patched systems will display version 4.7.1.448 or later.

Alternatively, you can also see which fixes (you can see the fix
folders) are applied by looking at the Fix_Maintenance directory.

Windows example:
C:\Program Files\CA\LISAReleaseAutomationServer\Fix_Maintenance

Linux, Solaris example:
/opt/LISAReleaseAutomationServer/Fix_Maintenance

Solution

CA Technologies has issued the following fix to address the
vulnerabilities.

CA Release Automation 4.7.1:
Apply Hot Fix 5 (cumulative hot fix b448) for CA Lisa Release
Automation 4.7.1

Workaround

None

References

CVE-2014-8246 ‚€“ Release Automation cross-site request forgery (CSRF)
CVE-2014-8247 ‚€“ Release Automation cross-site scripting (XSS)
CVE-2014-8248 ‚€“ Release Automation SQL injection

Acknowledgement

CVE-2014-8246 ‚€“ Lukasz Plonka, Julian Horoszkiewicz
CVE-2014-8247 ‚€“ Julian Horoszkiewicz
CVE-2014-8248 ‚€“ Lukasz Plonka

Change History

v1.0: 2014-12-15, Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln@ca.com

CA Technologies Product Vulnerability Response Team PGP Key:
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20141215-01-security-notice-for-ca-lisa-release-automation.aspx

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.