CA20170109-01: Security Notice for CA Service Desk Manager

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20170109-01: Security Notice for CA Service Desk Manager

Issued: January 10, 2017
Last Updated: January 10, 2017

CA Technologies support is alerting customers to a potential risk
with CA Service Desk Manager. A vulnerability exists in RESTful
web services that can potentially allow a remote authenticated
attacker to view or modify sensitive information. Fixes are
available.

The vulnerability, CVE-2016-10086, is due to incorrect permissions
being applied to certain RESTful requests that can allow a malicious
user to view or update task information. This vulnerability only
affects CA Service Desk Manager installations with RESTful web
services running.

Risk Rating

Medium

Platform(s)

Windows, Linux, Solaris, Aix

Affected Products

CA Service Desk Manager 12.9
CA Service Desk Manager 14.1

How to determine if the installation is affected

If RESTful web services are installed, the product could be
vulnerable. Please check if RESTful web services are installed and
running. The following command on the server where Service Desk is
installed can give the status of the RESTful web services:

pdm_tomcat_nxd -c status -t REST

If the status is Running, the product installation is vulnerable.

Solution

Product Version, Platform
Fix

12.9, Windows
RO93722

12.9, Linux
RO93730

12.9, Solaris
T52Y601

12.9, AIX
T52Y602

14.1, Windows
RO93720

14.1, Linux
RO93721

14.1, Solaris
T52Y593

14.1, AIX
T52Y594

Note: Customers must request "T" fixes and non-English fixes from CA
support. Published "RO" fixes can be downloaded from the Service Desk
Manager product page on the "Solutions & Patches" sub-page.

https://support.ca.com/

References

CVE-2016-10086 - CA Service Desk Manager RESTful web services task
vulnerability

Acknowledgement

CVE-2016-10086 - Bruno de Barros Bulle

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=3D177782

Regards,

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team

Copyright (c) 2017 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsFVAwUBWHbfQDuotw2cX+zOAQrhqBAAiHOi4d5Gte9wH5zIzh7Nw0r+P0iYGku9
OdnySuP9yXF+NzsGlwSukhKhchUR8AG74h88jeNeqaSFPL6RbAMllyQQ4h0oup/8
R+3MOTL31hm0Ig1vNq1DR8BPkc8TrjA+LCYKUXRUOV2Rn8Bi/NOjkod2nD3WrDq7
jKsRdUo4/T/lcjnCiCf3DXy/Oh5/0xKb/+gIG/tfMd3TK2VQnUsijTJ/skWxyL9o
fCvyVXaqvPrai9ZWkTvAzWGFWeEMrOaNXPs4KAxzaw8OwRzLObgRbfCQMJDrfnKZ
8UcJ3oqd2PfdJevH/uNPKB1gknjLyGF6jM8YZPk3XtnbrCV44ZOpbR4DDSmPPsB+
UyxbzhZfAQu3C+DVfWS6oIV3iQP5b/fKUjzIx7lw6nCggIp/wCP7craxYTyNpJvI
84KrlFmy6l8pOU7+jOoPdkoIrMRwxn6g0AjX6QHiuKCNyNBGKm+zMyeGo7Sn8f70
mMidcJ/SfPpFPiC7GsOUIf1i9ZRzZZQS4lsySMkXOlwYaTDpvFURj751yXU6bkyx
EnZBazvy/ST/5spb7LFMu2bf6SnjlPknGfx/KUcbZLNcx5MoOxhPSFhs7k2t8hAD
HLvmY3C9cHbs61u3aQLMc6HpPfr/yblYipryAd4OME+X1Woa3w9VgnkXZTPN7m6E
9BzkdVZk19Q=3D
=3D2Xtz
-----END PGP SIGNATURE-----