search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

CA LISA Release Automation contains multiple vulnerabilities

Vulnerability Note VU#343060

Original Release Date: 2014-12-15 | Last Revised: 2014-12-17

Overview

CA LISA Release Automation 4.7.1.385 contains multiple vulnerabilities

Description

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-8246

CA LISA Release Automation 4.7.1.385 contains a global Cross-Site Request Forgery (CSRF) vulnerability. The application allows a malicious user to perform actions on the site with the same permissions as the victim. This vulnerability requires the attacker to be authenticated and have an active session.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-8247

CA Release Automation 4.7.1.385 contains a global cross-site scripting (XSS) vulnerability in the server exception message.

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2014-8248

CA Release Automation 4.7.1.385 contains a SQL injection vulnerability in the filter and parent parameters. This vulnerability may allow an authenticated attacker to elevate privileges by extracting the hash of the administrator user.

Note: the CVSS score reflects CVE-2014-8246

Impact

A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session, elevate privileges, or perform actions as an authenticated user.

Solution

Apply an Update
CA has developed a hotfix which is available on their site. The b448 hotfix includes patches for all of the listed vulnerabilities. Please see CA's security notice for more details.

Vendor Information

343060
 
Expand all

CA Technologies Affected

Notified:  October 23, 2014 Updated: December 17, 2014

Status

Affected

Vendor Statement

Issued: December 15, 2014

CA Technologies Support is alerting customers to multiple
vulnerabilities in CA Release Automation (formerly CA LISA Release
Automation, change effective 2014-09-19).

The first vulnerability, CVE-2014-8246, is a cross-site request forgery
(CSRF) issue related to insufficient validation.  A remote attacker can
potentially execute privileged actions on a vulnerable website.

The second vulnerability, CVE-2014-8247, is a cross-site scripting (XSS)
issue caused by insufficient input filtering.  A remote attacker can
execute specially crafted script.

The third vulnerability, CVE-2014-8248, is a SQL injection issue caused
by insufficient input sanitization.  An attacker with a non-privileged
account could utilize a specially crafted query to access privileged
information.

Risk Rating

Medium

Platform

Windows
Linux
Solaris

Affected Products

CA Release Automation 4.7.1 Build 413 and earlier

Unaffected Products

CA Release Automation 4.7.1 Build 448

How to determine if the installation is affected

To confirm that cumulative hot fix b448 is installed, navigate to the
RA â€𕎫out Automation Studioâ€

Vendor Information

None

Vendor References


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 6.1 E:POC/RL:U/RC:ND
Environmental 1.5 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Julian Horoszkiewicz and Lukasz Plonka for reporting these vulnerabilities.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-8246, CVE-2014-8247, CVE-2014-8248
Date Public: 2014-12-15
Date First Published: 2014-12-15
Date Last Updated: 2014-12-17 15:41 UTC
Document Revision: 24

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis