-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication Issued: May 23, 2019 Last Updated: May 23, 2019 The Support team for CA Technologies, A Broadcom Company, is alerting customers to multiple potential risks with CA Risk Authentication and CA Strong Authentication. Multiple vulnerabilities exist that can allow a remote attacker to gain additional access in certain configurations or possibly gain sensitive information. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately. The first vulnerability, CVE-2019-7394, occurs due to insufficient verification of custom privileges. A malicious actor, who has access to an account with customized and limited privileges may, in some cases, access resources and act outside of assigned privileges. This exposure does not affect installations where accounts do not have custom privileges. The second vulnerability, CVE-2019-7393, may enable a malicious actor to conduct UI redress attacks to gain sensitive information in some cases. Risk Rating Medium Platform(s) All supported platforms Affected Products CA Risk Authentication 9.0 CA Risk Authentication 8.x CA Risk Authentication 3.1 CA Strong Authentication 9.0 CA Strong Authentication 8.x CA Strong Authentication 7.1 How to determine if the installation is affected Customers should review the solution section to determine whether the fixes are present in their installations. Solution CA Technologies published the following solutions to address the vulnerabilities. These fixes are available on the CA support site https://support.ca.com. CA Risk Authentication 9.0, CA Strong Authentication 9.0: SS08146 CA Risk Authentication 8.x, CA Strong Authentication 8.x: SS08143 CA Risk Authentication 3.1: SS08144 CA Strong Authentication 7.1: SS08145 References CVE-2019-7394 - CA Risk Authentication and Strong Authentication Privilege Escalation CVE-2019-7393 - CA Risk Authentication and Strong Authentication Privilege UI Redress Acknowledgement CVE-2019-7393, CVE-2019-7394 - Rohit Yadav Change History Version 1.0: Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications. Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/. To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBXOgVA7lJjor7ahBNAQjzzRAAmnPSf9iPsy8cvrjULnPZdE5hbaHH4IxT rehdZd/J1Ki/I74L0uDwmyUCR4Tmh32mOqQwYFSiblXko/rxHWTFQRdBQhO0G9ug 2qsaRyWPR/J5qDN5vcV//jExuSDUKAV/TsLc5gUPaIdc5Gp5v7de6m4NzgIDef1N /yrk5FwCYabtVPCj43ChTD8vGcKMBgLM6iZWX5QzYkhMRykXueyNFpzUwnXhCgvN c5egwJYX7DDv1SYJutaVCznvxjJLmmua8Amgamwx98qhvMKKC5jQGnBro3cj/169 4LSPaRykZ/etL53eIA7r+8TH/7T5+833CUwhP1tA5GZ+VFYnmbDEBiiwJdcwZada iiMjSvOVxXZdf7S0QuYfuf/oXvqeUjht+tRhd4QaHzAjEuJOeHvTuvSwbJw2E8Nw e1bl9ft//q17PxUCGsKAXlqeVJ1oDTRraGNrlEYA2fGZdEMJZ8wciChLN9XhAhTf +cgT8mKr1BySKGwsra1Bpk1m5NoF5T4OUFNAj5Pl0JTM7tGZJxJmQyicqNsFWfy0 hVGjFN7YhlIX+FHllzLR0cJ8YyDH1aCbWvexAXwuTqRlrUdkRMp1xaco54ihKAMk YSS5nhK1qlHgdTMKVK8eSZPMoh6SYZd0V/sKdwBz2XgbQD6RIA/k99XCKKeU0FRC ABQ0hunqubE= =Pr3L -----END PGP SIGNATURE-----
