CA License Security Notice Attention CA Customers: License Patches Are Now Available To Address Buffer Overflows Working closely with eEye Digital Security and iDEFENSE, the CA Technical Support team has resolved multiple vulnerability issues recently discovered in the CA License software. Both eEye and iDEFENSE have confirmed that these vulnerabilities have been properly addressed. CA has made patches available to any affected license users. Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges. This affects versions of the CA License software v1.53 through v1.61.8 on the specified platforms. Customers with these vulnerable versions should upgrade to CA License 1.61.9 or higher. CA License patches that address these issues can be downloaded from the link below. http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp CA strongly recommends the application of the appropriate CA License patch. Affected products: The vulnerability exists if the CA License package version on the system is between v1.53 and v1.61.8. Affected platforms: AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac. Determining CA License versions: 1. Obtain the CA License package version: Windows: The CA license package version can be obtained by checking the file version of lic98version.exe. Right click on lic98version.exe, choose Properties, and then select the Version tab. Unix/Linux/Mac: Run lic98version from a command prompt to print out the version number and/or write it to lic98version.log. OR 2. Obtain the version of the vulnerable file: If the lic98version file does not exist on the system (which may be the case with older versions of the license package), check the version of the affected file itself: Windows: Obtain the version of lic98rmt.exe by right-clicking on the file, choosing Properties, and then selecting the Version tab. The vulnerability exists if the version is between 0.1.0.15 and 1.4.6. Unix/Linux/Mac - Run strings licrmt | grep BUILD from a Command prompt. The following string format will be returned: "LICAGENT BUILD INFO = /x.x.x/Apr 16 2003/17:13:35", Where x.x.x is the file version. The vulnerability exists if this file version is between v1.0.15 thru v1.4.6. Note the following default license install directories: Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic Should you require additional information, please contact CA Technical Support at http://supportconnect.ca.com. Select Language for translations of this advisory: English: http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp Deutsch: http://www.ca.com/de/support/security_notice.htm FranÃais: http://www.ca.com/france/notification_securite.htm EspaÃol: http://www.ca.com/es/local/security_notice.htm Japanese (ææè): http://www.casupport.jp/resources/info/050301security_notice.htm Chinese (äæ): http://www.ca.com.cn/press/releases/2005/03/security_notice.htm Italiano: http://www.ca.com/it/security_notice.htm/ PortuguÃs: http://www.ca.com/br/security_notice.htm Computer Associates International, Inc. (CA). One Computer Associates Plaza. Islandia, NY 11749 Contact Us http://ca.com/catalk.htm Legal Notice http://ca.com/calegal.htm Privacy Policy http://ca.com  2005 Computer Associates International, Inc. All rights reserved -- kw Ken Williams ; Vulnerability Research Computer Associates ; james.williams@xxxxxx A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985
