CA20110420-01: Security Notice for CA SiteMinder
CA20110420-01: Security Notice for CA SiteMinder
Issued: April 20, 2011
CA Technologies support is alerting customers to a security risk=20
associated with CA SiteMinder. A vulnerability exists that can allow a=20
malicious user to impersonate another user. CA Technologies has=20
issued patches to address the vulnerability.
The vulnerability, CVE-2011-1718, is due to improper handling of=20
multi-line headers. A malicious user can send specially crafted data=20
to impersonate another user.
Risk Rating=20
Medium
Platform=20
Windows
Affected Products=20
CA SiteMinder R6 Web Agents prior to R6 SP6 CR2
CA SiteMinder R12 Web Agents prior to R12 SP3 CR2
How to determine if the installation is affected=20
Check the Web Agent log to obtain the installed release version. Note=20
that the "webagent.log" file name is configurable by the SiteMinder=20
administrator.
Solution
CA has issued patches to address the vulnerability.
CA SiteMinder R6:
Upgrade to R6 SP6 CR2 or later
CA SiteMinder R12:=20
Upgrade to R12 SP3 CR2 or later
CR releases can be found on the CA SiteMinder Hotfix / Cumulative=20
Release page:
(URL may wrap)
support.ca.com/irj/portal/anonymous/phpdocs?filePath=3D0/5262/5262_fixind=
e
x.html
References
CVE-2011-1718 - CA SiteMinder Multi-line Header Vulnerability
Acknowledgement
April King (april@twoevils.org)
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies=20
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please=20
report your findings to the CA Technologies Product Vulnerability=20
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D177782