CA20110420-02: Security Notice for CA Output Management Web View
CA20110420-02: Security Notice for CA Output Management Web Viewer
Issued: April 20, 2011
CA Technologies support is alerting customers to security risks=20
associated with CA Output Management Web Viewer. Two vulnerabilities=20
exist that can allow a remote attacker to execute arbitrary code. CA=20
Technologies has issued patches to address the vulnerabilities.
The vulnerabilities, CVE-2011-1719, are due to boundary errors in the=20
UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote=20
attacker can create a specially crafted web page to exploit the flaws=20
and potentially execute arbitrary code.
Risk Rating=20
High
Platform=20
Windows
Affected Products=20
CA Output Management Web Viewer 11.0=20
CA Output Management Web Viewer 11.5
How to determine if the installation is affected=20
If the end-user controls are at a version that is less than the=20
versions listed below, the installation is vulnerable.
File Name Version=20
UOMWV_HelperActiveX.ocx 11.5.0.1=20
PPSView.ocx 1.0.0.7
Solution
CA has issued the following patches to address the vulnerability.
CA Output Management Web Viewer 11.0:
Apply the RO29119 APAR, and then have end-users allow updated controls=20
to be installed (on next attempt to use impacted feature).
CA Output Management Web Viewer 11.5:
Apply the RO29120 APAR, and then have end-users allow updated controls=20
to be installed (on next attempt to use impacted feature).
References
CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer=20
Overflows
Acknowledgement
Dmitriy Pletnev, Secunia Research
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies=20
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please=20
report your findings to the CA Technologies Product Vulnerability=20
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D177782
Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilja22@ca.com