-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20170109-01: Security Notice for CA Service Desk Manager Issued: January 10, 2017 Last Updated: January 10, 2017 CA Technologies support is alerting customers to a potential risk with CA Service Desk Manager. A vulnerability exists in RESTful web services that can potentially allow a remote authenticated attacker to view or modify sensitive information. Fixes are available. The vulnerability, CVE-2016-10086, is due to incorrect permissions being applied to certain RESTful requests that can allow a malicious user to view or update task information. This vulnerability only affects CA Service Desk Manager installations with RESTful web services running. Risk Rating Medium Platform(s) Windows, Linux, Solaris, Aix Affected Products CA Service Desk Manager 12.9 CA Service Desk Manager 14.1 How to determine if the installation is affected If RESTful web services are installed, the product could be vulnerable. Please check if RESTful web services are installed and running. The following command on the server where Service Desk is installed can give the status of the RESTful web services: pdm_tomcat_nxd -c status -t REST If the status is Running, the product installation is vulnerable. Solution Product Version, Platform Fix 12.9, Windows RO93722 12.9, Linux RO93730 12.9, Solaris T52Y601 12.9, AIX T52Y602 14.1, Windows RO93720 14.1, Linux RO93721 14.1, Solaris T52Y593 14.1, AIX T52Y594 Note: Customers must request "T" fixes and non-English fixes from CA support. Published "RO" fixes can be downloaded from the Service Desk Manager product page on the "Solutions & Patches" sub-page. https://support.ca.com/ References CVE-2016-10086 - CA Service Desk Manager RESTful web services task vulnerability Acknowledgement CVE-2016-10086 - Bruno de Barros Bulle Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBWHbfQDuotw2cX+zOAQrhqBAAiHOi4d5Gte9wH5zIzh7Nw0r+P0iYGku9 OdnySuP9yXF+NzsGlwSukhKhchUR8AG74h88jeNeqaSFPL6RbAMllyQQ4h0oup/8 R+3MOTL31hm0Ig1vNq1DR8BPkc8TrjA+LCYKUXRUOV2Rn8Bi/NOjkod2nD3WrDq7 jKsRdUo4/T/lcjnCiCf3DXy/Oh5/0xKb/+gIG/tfMd3TK2VQnUsijTJ/skWxyL9o fCvyVXaqvPrai9ZWkTvAzWGFWeEMrOaNXPs4KAxzaw8OwRzLObgRbfCQMJDrfnKZ 8UcJ3oqd2PfdJevH/uNPKB1gknjLyGF6jM8YZPk3XtnbrCV44ZOpbR4DDSmPPsB+ UyxbzhZfAQu3C+DVfWS6oIV3iQP5b/fKUjzIx7lw6nCggIp/wCP7craxYTyNpJvI 84KrlFmy6l8pOU7+jOoPdkoIrMRwxn6g0AjX6QHiuKCNyNBGKm+zMyeGo7Sn8f70 mMidcJ/SfPpFPiC7GsOUIf1i9ZRzZZQS4lsySMkXOlwYaTDpvFURj751yXU6bkyx EnZBazvy/ST/5spb7LFMu2bf6SnjlPknGfx/KUcbZLNcx5MoOxhPSFhs7k2t8hAD HLvmY3C9cHbs61u3aQLMc6HpPfr/yblYipryAd4OME+X1Woa3w9VgnkXZTPN7m6E 9BzkdVZk19Q= =2Xtz -----END PGP SIGNATURE-----
