January 17, 2019
CA Service Desk Managercustomers, please review the following security notice.
For the latest version of this security notice, see
CA20190117-01: Security Notice for CA Service Desk Manager
CA20190117-01: Security Notice for CA Service Desk Manager
Issued: January 17, 2019
Last Updated: January 17, 2019
CA Technologies Support is alerting customers to multiple potential risks with CA Service Desk Manager. Multiple vulnerabilities exist that can allow a remote attacker to access sensitive information or possibly gain additional privileges. CA published solutions to address the vulnerabilities.
The first vulnerability, CVE-2018-19634, is due to how survey access is implemented. A malicious actor can access and submit survey information without authentication.
The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges.
Risk Rating
High
Platform(s)
All platforms
Affected Products
CA Service Desk Manager 14.1
CA Service Desk Manager 17
How to determine if the installation is affected
CA Service Desk Manager r14.1:
Versions prior to 14.1.05.1 are vulnerable.
CA Service Desk Manager r17 Windows:
Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in the solution section are vulnerable
CA Service Desk Manager r17 Linux:
Versions prior to 17.1.0.2 are vulnerable
Solution
CA Technologies published the following solutions to address the vulnerabilities.
CA Service Desk Manager r14.1:
Update to CA Service Desk Manager 14.1.05.1. The rollup patches are available on the CA Service Desk Manager 14.1 Solutions & Patches page.
Windows - SO05733
Sun - SO05716
Linux - SO05715
CA Service Desk Manager R17 Linux:
Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions & Patches page.
CA Service Desk Manager R17 Windows:
Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the corresponding language patch for the Service Desk Manager installation. All fixes are available on the CA Service Desk Manager 17.1 Solutions & Patches page.
Chinese - SO06055
English - SO06036
French - SO06051
French Canadian - SO06039
German - SO06037
Italian - SO06052
Japanese - SO06053
Portuguese - SO06054
Spanish - SO06038
References
CVE-2018-19634- CA Service Desk Manager survey access
CVE-2018-19635- CA Service Desk Manager privilege escalation
Acknowledgement
CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep
Change History
Version 1.0: 2019-01-17 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.
Copyright © 2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connectingeverything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.