CA Release Automation Object Deserialization Error Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID: 1041591|
SecurityTracker URL: http://securitytracker.com/id/1041591
(Links to External Site)
Date: Aug 31 2018
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.3, 6.4, 6.5; possibly older versions|
A vulnerability was reported in CA Release Automation. A remote user can execute arbitrary code on the target system.|
A remote user can send specially crafted data to trigger an object deserialization error and execute arbitrary code on the target system.
Jakub Palaczynski and Maciej Grabiec reported this vulnerability.
A remote user can execute arbitrary code on the target system.|
The vendor has issued a fix (6.3 Cumulative Fix build 9945, 6.4 Cumulative Fix build 10119, 6.5 Cumulative Fix build 10080).|
The vendor advisory is available at:
Vendor URL: support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-03--security-notice-for-ca-release-automation.html (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)|
Source Message Contents
Subject: [FD] CA20180829-03: Security Notice for CA Release Automation|
-----BEGIN PGP SIGNED MESSAGE-----
CA20180829-03: Security Notice for CA Release Automation
Issued: August 29, 2018
Last Updated: August 29, 2018
CA Technologies Support is alerting customers to a potential risk with
CA Release Automation. A vulnerability exists that can allow an
attacker to potentially execute arbitrary code.
The vulnerability, CVE-2018-15691, has a high risk rating and concerns
insecure deserialization of a specially crafted serialized object,
which can allow an attacker to potentially execute arbitrary code.
All supported platforms
CA Release Automation 6.3
CA Release Automation 6.4
CA Release Automation 6.5
Note: older, unsupported releases may be affected.
CA Release Automation 6.6
CA Release Automation 184.108.40.20645 or later
CA Release Automation 220.127.116.1119 or later
CA Release Automation 18.104.22.16880 or later
How to determine if the installation is affected
Check the build number with the Help->About menu option, or determine
which fixes are applied by looking at the Fix_Maintenance directory.
CA Technologies published the following solutions to address the
CA Release Automation 6.3:
Apply Cumulative Fix build 9945 or later.
CA Release Automation 6.4:
Apply Cumulative Fix build 10119 or later.
CA Release Automation 6.5:
Apply Cumulative Fix build 10080 or later.
CVE-2018-15691 - CA Release Automation deserialization vulnerability
CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec
Version 1.0: 2018-08-29 - Initial Release
Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022
Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
-----END PGP SIGNATURE-----
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/