CA20190117-01: Security Notice for CA Service Desk Manager
1857
17 January 2019
08 August 2016
OPEN
Issued: January 17, 2019
Last Updated: January 17, 2019
CA Technologies Support is alerting customers to multiple potential risks with CA Service Desk Manager. Multiple vulnerabilities exist that can allow a remote attacker to access sensitive information or possibly gain additional privileges. CA published solutions to address the vulnerabilities.
The first vulnerability, CVE-2018-19634, is due to how survey access is implemented. A malicious actor can access and submit survey information without authentication.
The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges.
Risk Rating
High
Platform(s)
All platforms
Affected Products
CA Service Desk Manager 14.1
CA Service Desk Manager 17
How to determine if the installation is affected
CA Service Desk Manager r14.1:
Versions prior to 14.1.05.1 are vulnerable.
CA Service Desk Manager r17 Windows:
Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in the solution section are vulnerable
CA Service Desk Manager r17 Linux:
Versions prior to 17.1.0.2 are vulnerable
Solution
CA Technologies published the following solutions to address the vulnerabilities.
CA Service Desk Manager r14.1:
Update to CA Service Desk Manager 14.1.05.1. The rollup patches are available on the CA Service Desk Manager 14.1 Solutions & Patches page.
Windows - SO05733
Sun - SO05716
Linux - SO05715
CA Service Desk Manager R17 Linux:
Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions & Patches page.
CA Service Desk Manager R17 Windows:
Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the corresponding language patch for the Service Desk Manager installation. All fixes are available on the CA Service Desk Manager 17.1 Solutions & Patches page.
Chinese - SO06055
English - SO06036
French - SO06051
French Canadian - SO06039
German - SO06037
Italian - SO06052
Japanese - SO06053
Portuguese - SO06054
Spanish - SO06038
References
CVE-2018-19634 - CA Service Desk Manager survey access
CVE-2018-19635 - CA Service Desk Manager privilege escalation
Acknowledgement
CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep
Change History
Version 1.0: 2019-01-17 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.