Subject: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
Date: Sat, 24 Jan 2009 13:36:56 -0500
Message-ID: <649CDCB56C88AA458EFF2CBF494B620406374D69@USILMS12.ca.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
Thread-Index: Acl+Urw1SYyPaZxqTIy9x4SYpXiiWg==
From: "Williams, James K" <James.Williams@ca.com.>
To: <bugtraq@securityfocus.com.>
X-OriginalArrivalTime: 24 Jan 2009 18:40:48.0907 (UTC) FILETIME=[46A05DB0:01C97E53]
X-Virus-Scanned: antivirus-gw at tyumen.ru
Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
CA Advisory Reference: CA20090123-01
CA Advisory Date: 2009-01-23
Reported By: n/a
Impact: A remote attacker can execute arbitrary commands.
Summary: Multiple security risks exist in Apache Tomcat as=20
included with CA Cohesion and products that contain CA Cohesion.=20
CA has issued an update to address the vulnerabilities. Refer to=20
the References section for the full list of resolved issues by CVE=20
identifier.
Mitigating Factors: None
Severity: CA has given this vulnerability a Medium risk rating.
Affected Products:
CA Cohesion Application Configuration Manager 4.5
CA CMDB Application Server 11.1
Unicenter Service Desk 11.2
Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1
Affected Platforms:
Windows
Status and Recommendation:
CA has issued the following update to address the vulnerabilities.
CA Cohesion Application Configuration Manager 4.5,
CA CMDB Application Server 11.1,
Unicenter Service Desk 11.2:
RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=3Dsearc=
h
&searchID=3DRO04648
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the=20
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is=20
vulnerable.
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
CA20090123-01: Security Notice for Cohesion Tomcat
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D197=
5
40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Reported By:=20
n/a
CVE References:
CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-2090
CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3510
CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-3835
CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-7195
CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-7196
CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-0450
CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-1355
CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-1358
CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-1858
CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-2449
CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-2450
CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-3382
CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-3385
CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2007-3386
CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0128
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,=20
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your=20
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D177=
7
82
Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
=09
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.
