CA20100304-01: Security Notice for CA SiteMinder
Issued: March 04, 2010
CA's support is alerting customers to a security risk with CA
SiteMinder. Multiple cross site scripting (XSS) vulnerabilities
exist that can allow a remote attacker to potentially gain
sensitive information. CA has provided guidance to remediate the
The vulnerabilities, CVE-2009-3731, are due to insufficient
validation of input strings. An attacker can potentially steal
network domain credentials by enticing a user to visit a web page
that contains malicious content.
Red Hat Linux
CA SiteMinder 6.0 (SP4 and earlier)
How to determine if the installation is affected
The vulnerability is caused by an issue with the publishing tool
used to create the online help and HTML documentation for older CA
SiteMinder releases (6.0 SP4 and earlier). This vulnerability
affects CA SiteMinder in the following ways:
* HTML versions of the product documentation for SiteMinder can
be deployed on an individual system or through a web server. If
product documentation has been deployed on a web server the
SiteMinder 6.0 installation is vulnerable.
* Online help systems for SiteMinder are deployed and accessible
through a web server. This vulnerability applies to help systems.
In both cases, this vulnerability applies if web access to the
associated web servers has been configured to make use of
non-public (client-specific) information.
* Upgrade Policy Servers to the latest service pack for SiteMinder
6.0. Remove older versions of the product documentation from your
* For Integrated Document sets, if you have deployed the HTML
version of documentation to a web server, move the documentation
to a file server and delete the documentation from the web server.
* For Online Help systems, remove the help systems from the
application folders and place them on a file system for future
reference. Note that this will cause help links to fail in the
The folders that contain help systems are:
o Administrative UI Help: