SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Unicenter Asset Management Vendors:   CA
(CA Issues Fix for Unicenter Products) Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1022689
SecurityTracker URL:  http://securitytracker.com/id/1022689
CVE Reference:   CVE-2008-1232   (Links to External Site)
Date:  Aug 7 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Tomcat. A remote user can conduct cross-site scripting attacks. CA Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, and Unicenter Patch Management are affected.

The HttpServletResponse.sendError() function does not properly filter HTML code from user-supplied input before displaying the input on an error page. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Tomcat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Konstantin Kolinko reported this vulnerability.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Tomcat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   CA has issued a fix for CA Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, and Unicenter Patch Management, which are affected by this vulnerability.

The CA advisory is available at:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2008 Tomcat Input Validation Hole in HttpServletResponse.sendError() Permits Cross-Site Scripting Attacks


 Source Message Contents
Date:  Thu, 6 Aug 2009 19:23:14 -0400
Subject:  CA20090806-02: Security Notice for Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, Unicenter Patch Management


-----BEGIN PGP SIGNED MESSAGE-----

CA20090806-02: Security Notice for Unicenter Asset Portfolio
Management, Unicenter Desktop and Server Management, Unicenter
Patch Management

Issued: August 6, 2009

CA's technical support is alerting customers to a security risk with
Unicenter Asset Portfolio Management, Unicenter Desktop and Server
Management, and Unicenter Patch Management. The release of Tomcat as
included with the products is potentially susceptible to a cross-site
scripting vulnerability.  CA has issued a solution to address the
issue.

Risk Rating

Medium

Platform

Windows

Affected Products

Unicenter Asset Portfolio Management 11.3
Unicenter Asset Portfolio Management 11.3.4
Unicenter Desktop and Server Management 11.2
Unicenter Patch Management 11.2

How to determine if the installation is affected

Customers can use the following technical documents to determine if
an installation is affected.

Unicenter Asset Portfolio Management:
TEC492816

Unicenter Desktop and Server Management:
TEC491323

Unicenter Patch Management:
TEC491323

Solution

Unicenter Asset Portfolio Management:
Follow the instructions in solution document RI09916.

Unicenter Desktop and Server Management,
Unicenter Patch Management:
Follow the instructions in technical document TEC491323.

References

CVE-2008-1232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232

CA20090806-02: Security Notice for Unicenter Asset Portfolio
Management, Unicenter Desktop and Server Management, Unicenter Patch
Management
(line may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=21
4095

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Support at
http://support.ca.com/

If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
(line may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17
7782

Kevin Kotas
CA Product Vulnerability Response Team

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBSnti5pI1FvIeMomJAQFM0Qf/WnAvDpjlC+thQqPIJEaBUI5TBYoroLku
dM/q10Xk54htqtNMEnbrNVZvIYStdcEpQe2SuW+0rSI3U1Pv5Bkn/ofrbv7muYGk
hKQHfcliXLsjTuEq8aSSgmHVeMBwQ/Vwfnv5DClgrJ2LeW/J4uhG3g1NlB0gpTSw
MkfOAc+4fyl0DHvHpDvUBNZCAATeTOijStW4orTJulcl+TyO6pkx1aDjfQb0sIL0
B3xlG7CjMJxisV63fJpgeUTV6pBRf0w9cqj5nAaIGsAKtZXjWzfwKWdLxU794JUa
nDFDWBWgt1aDLH99PWH3lPjYgM8z/Bfe+FqBhHV/j0cqyosb7rYdag==
=2uwe
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC