CA20111208-01: Security Notice for CA SiteMinder Issued: December 08, 2011 CA Technologies Support is alerting customers to a potential risk in CA SiteMinder. A vulnerability exists that can allow a malicious user to execute a reflected cross site scripting (XSS) attack. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-4054, occurs due to insufficient validation of postpreservationdata parameter input utilized in the login.fcc form. A malicious user can submit a specially crafted request to effectively hijack a victim’s browser. Risk Rating Medium Platform All Affected Products CA SiteMinder R6 SP6 CR7 and earlier CA SiteMinder R12 SP3 CR8 and earlier Non-Affected Products CA SiteMinder R6 SP6 CR8 CA SiteMinder R12 SP3 CR9 How to determine if the installation is affected Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. Solution CA is issuing patches to address the vulnerability. CA SiteMinder R6: Upgrade to R6 SP6 CR8 or later (Expected Availability: January 2012) CA SiteMinder R12: Upgrade to R12 SP3 CR9 or later CR releases can be found on the CA SiteMinder Hotfix/Cumulative Release page: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E29-C3DE-405E-9151-9EEA72D965CE}. Workaround None References CVE-2011-4054 - CA SiteMinder login.fcc XSS Acknowledgement CVE-2011-4054 - Jon Passki of Aspect Security, via CERT Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations wilja22@xxxxxx
