-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20170504-01: Security Notice for CA Client Automation OS Installation Management Issued: May 4, 2017 Last Updated: May 4, 2017 CA Technologies is alerting customers to a potential risk with CA Client Automation OS Installation Management. A vulnerability exists that can allow a local attacker to gain sensitive information on operating systems installations created by CA Client Automation OS Installation Management. A solution is available. The vulnerability, CVE-2017-8391, occurs due to insecure storage of account credentials used by OS Installation Management during operating system installation. A local attacker can potentially access a sensitive file containing account credentials and decrypt a password. Depending on the privileges associated with the credentials, an attacker can potentially gain further access. This vulnerability only affects operating system installations created by CA Client Automation with OS Installation Management. Risk Rating High Platform(s) Windows, Linux Affected Products Only CA Client Automation releases implementing OS Installation Management are vulnerable. CA Client Automation r14.0, r14.0 SP1 CA Client Automation r12.9 CA Client Automation (formerly CA IT Client Manager) Release and Support Lifecycle Dates How to determine if the installation is affected Customers may review the technical document in the solution section to determine if any operating system installation created by CA Client Automation OS Installation Management is affected. Solution CA Technologies published the following solution to address the vulnerability. CA Client Automation, all releases: Follow the instructions in TEC1911981 References CVE-2017-8391 - Client Automation OS Installation Management insecure password storage Acknowledgement CVE-2017-8391 - Christoph Falta Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Team Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBWQyL5MMr2sgsME5lAQraoxAAnuqXSlrCUIZrmwY1+JdqmclxgSEn7OJi StmIM2ujSaZhNcrk9uAbXEmdsIiuOPKYsqPjDZLqLjv//EO8KTmgfvuclwITtUax ik8Bio4+w1HEIuqVaaO+RTP00y+NzsyVrDX5wilW2xLXYgC3yfqOUevFIvCWG8vW DVlQAkSt1PSEPfc4JBt3kYK20QJ1ZpASfxss4FGxc4emtpT34bPZKn3hh9MYa9A5 Qmejo0cWHqic6g3Xu/4t23yuE19YzrMyhCIC796Ak4TIv8r+aQZXkUTWxkSUV6Cs eBsnqv/Fut5oOMYQBZmhDE5aLNEGyT+Xy4SinNOcBeCQt2I3Ym2N4XjfXsmux+JF zVIeN6fbz7g7Xnih8NQMHW/pdNv3tzesI2vVJDrzSp7s563H0B8hbMu2hHHeALZQ AoDqf9+cugBtt3GSyhshb2NDw0zYHPpVRkTrkU5QCq3LC+Kl4lpclfmoc+C5mXd/ vX94Z22Nr57KBSqNs4xaefHRgvxirwkK/t7ersuoPbDXBra3v89QYb9//IkIc4vz cVoXJin7yLCf3TIAQE17P0mAUTGKxfZWZwR54vbeZzSp4eh1EMtuxeyr+v5MDwuP YeTcr9wSFOux99bufHDfpp7h8eqFAelkx/SskCOQ8503sChss6yUOEaP+80yDau2 42isb+fV/dc= =kkkx -----END PGP SIGNATURE-----