AOH :: HP Unsorted C :: VA2432.HTM

Cohesion Tomcat Multiple Vulnerabilities



CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities



Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities


CA Advisory Reference: CA20090123-01


CA Advisory Date: 2009-01-23


Reported By: n/a


Impact: A remote attacker can execute arbitrary commands.


Summary: Multiple security risks exist in Apache Tomcat as 
included with CA Cohesion and products that contain CA Cohesion. 
CA has issued an update to address the vulnerabilities. Refer to 
the References section for the full list of resolved issues by CVE 
identifier.


Mitigating Factors: None


Severity: CA has given this vulnerability a Medium risk rating.


Affected Products:
CA Cohesion Application Configuration Manager 4.5
CA CMDB Application Server 11.1
Unicenter Service Desk 11.2


Non-Affected Products
CA Cohesion Application Configuration Manager 4.5 SP1


Affected Platforms:
Windows


Status and Recommendation:
CA has issued the following update to address the vulnerabilities.

CA Cohesion Application Configuration Manager 4.5,
CA CMDB Application Server 11.1,
Unicenter Service Desk 11.2:

RO04648
https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search
&searchID=RO04648


How to determine if you are affected:

1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the 
   "C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is 
   vulnerable.


Workaround: None


References (URLs may wrap):
CA Support:
http://support.ca.com/ 
CA20090123-01: Security Notice for Cohesion Tomcat
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975
40
Solution Document Reference APARs:
RO04648
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
Reported By: 
n/a
CVE References:
CVE-2005-2090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 
CVE-2005-3510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 
CVE-2006-3835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 
CVE-2006-7195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 
CVE-2006-7196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 
CVE-2007-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 
CVE-2007-1355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 
CVE-2007-1358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 
CVE-2007-1858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 
CVE-2007-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 
CVE-2007-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 
CVE-2007-3382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 
CVE-2007-3385 *
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 
CVE-2007-3386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 
CVE-2008-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
http://osvdb.org/ 


Changelog for this advisory:
v1.0 - Initial Release


Customers who require additional information should contact CA
Technical Support at http://support.ca.com. 

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777
82


Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team


CA, 1 CA Plaza, Islandia, NY 11749
=09
Contact http://www.ca.com/us/contact/ 
Legal Notice http://www.ca.com/us/legal/ 
Privacy Policy http://www.ca.com/us/privacy/ 
Copyright (c) 2009 CA. All rights reserved.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.