CA20180501-01: Security Notice for CA Spectrum

All CA Spectrum releases, prior to Spectrum 10.2.3 are suspect for the vulnerability.

CA Technologies Support is alerting customers to a potential risk with CA Spectrum. A vulnerability exists that can allow an unauthenticated remote attacker to cause a denial of service. CA has solutions to resolve the vulnerability.

The vulnerability, CVE-2018-6589, occurs due to how a Spectrum network service handles invalid data. A remote attacker can send a request that may disrupt a Spectrum service and potentially cause further product instability.

Risk Rating: CVE-2018-6589 High

Platforms affected: All

Affected GA Releases:
CA Spectrum 10.1.x 
CA Spectrum 10.2.x prior to Spectrum 10.2.3

How to determine if the installation is affected

If you are running any release other than Spectrum 10.2.3, you need to verify the release level and patch level of all your SpectroSERVERs and OneClick web servers, to ensure they are not at risk.

To determine your release of Spectrum:

1. CA OneClick Console: Click on Help -> About
2. Open the Spectrum Console Panel on the SpectroServer and click on Help -> About
3. On SpectroSERVER: Go to the Spectrum install directory, open the .installrc file and find the "VERSION"

• For Spectrum 10.0.0 or older: Your release of Spectrum has already reach "End of Service". You will need to upgrade to Spectrum 10.2.3.
• For Spectrum 10.1.0 - 10.1.1: You will need to upgrade to at least Spectrum 10.1.2 in order to patch your systems.
• For Spectrum 10.2.0: You will need to upgrade to at least Spectrum 10.2.1 in order to patch your systems.
• For Spectrum 10.1.2, Spectrum 10.2.1, or Spectrum 10.2.2: You need to check the patch level of each Spectrum server to determine if the server is at risk.

To check the patch level of each server:

1. On the SpectroSERVER and OneClick Web Server: Go to the Spectrum Install directory.
2. Locate the .history file. 
3. Review the contents of the .history file, and look for an entry containing the following patch, that corresponds with your release of Spectrum:
   • Spectrum_10.01.02.PTF_10.1.239
   • Spectrum_10.02.01.PTF_10.2.193
   • Spectrum_10.02.02.PTF_10.2.227
4. If you do not see an entry for the specified patch, that corresponds to your release of Spectrum, contact CA Spectrum Support and request a copy of the patch. It will be helpful to provide the contents of the .history file, so the CA Spectrum Support Engineer, can verify which patch you need.

Solution

CA Technologies has published the following solutions to resolve this vulnerability. 
Note: When applying the patch, all SpectroSERVERs and OneClick server will need to be patched.

• CA Spectrum 10.1.2: Apply Spectrum_10.01.02.PTF_10.1.239
• CA Spectrum 10.2.1: Apply Spectrum_10.02.01.PTF_10.2.193
• CA Spectrum 10.2.2: Apply Spectrum_10.02.02.PTF_10.2.227

Upgrading to Spectrum 10.2.3 will also address this issue.

For more information see:
CA20180501-01 - Security Notice for CA SPECTRUM