CA Siteminder Vulnerabilities CVE-2015-6853 & CVE-2015-6854
search cancel

CA Siteminder Vulnerabilities CVE-2015-6853 & CVE-2015-6854

book

Article ID: 43596

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

 

The first vulnerability, CVE-2015-6853, occurs due to insufficient verification of requests in the CA SSO Domino web agent. A remote attacker can make a request that could result in a crash or the disclosure of sensitive information. CA has assigned this vulnerability a High risk rating. Only CA SSO customers using the Domino web agent are affected by this vulnerability.

The second vulnerability, CVE-2015-6854, occurs due to insufficient verification of requests in all CA SSO web agents other than the Domino web agent. A remote attacker can make a request that could result in a crash or disclose sensitive information. CA has assigned this vulnerability a High risk rating. The web agents in CA SSO versions 12.51 and 12.52 are not affected by this vulnerability. Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are also not affected by this vulnerability.


Read more at http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160323-01-security-notice-for-ca-single-sign-on-web-agents.aspx

 

Environment: 

 

CVE-2015-6853 applies to the Domino web agent with the following versions:

CA Single Sign-On R6, R12, R12.0J, R12.5, R12.51, R12.52

CVE-2015-6854 applies to all web agents, except the Domino agent, with the following versions:

CA Single Sign-On R6, R12, R12.0J, R12.5

Note: Secure Proxy Server (SPS) Agents, SharePoint Agents, Application Server Agents, ERP Agents, Web Agent Option Pack, and Custom Agents are not impacted by these vulnerabilities.

 

 

Resolution:

 

Customers running R6 agents should update to a web agent from CA SSO R12.0 SP3 CR13, R12.0J SP3 CR1.2, R12.5 CR5, R12.51 CR4, or R12.52 SP1 CR3.

Fix table for CVE-2015-6853

Web Agent VersionFix Version
R12.0 Domino web agentR12.0 SP3 CR13
R12.0J Domino web agentR12.0J SP3 CR1.2
R12.5 Domino web agentR12.5 CR5
R12.51 Domino web agentR12.51 CR4
R12.52 Domino web agentR12.52 SP1 CR3

Fix table for CVE-2015-6854

Web Agent VersionFix Version
R12.0 web agents except the Domino web agentR12.0 SP3 CR13
R12.0J web agents except the Domino web agentR12.0J SP3 CR1.2
R12.5 web agents except the Domino web agentR12.5 CR5
R12.51 web agents except the Domino web agentNot affected
R12.52 web agents except the Domino web agentNot affected

Note: Customers should update SSO R6 web agents to a fixed R12.52, R12.51, or R12 agent version.


Read more at http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160323-01-security-notice-for-ca-single-sign-on-web-agents.aspx

 

Additional Information:

 

http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/ca20160323-01-security-notice-for-ca-single-sign-on-web-agents.aspx

 

CVE-2015-6853 - Single Sign-On Domino web agent denial of service, information disclosure
CVE-2015-6854 - Single Sign-On web agent denial of service (non-Domino), information disclosure

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:
Powered by Wolken Software