Description: Two vulnerabilities have been reported in various products within the CA Message Queuing (CAM / CAFT) software, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) An error in the handling of certain specially crafted messages sent to port 4105/tcp can be exploited to cause a DoS.
2) An error in the handling CAM control messages can be exploited to cause a DoS via spoofed CAM control messages.
The vulnerabilities have been reported in all versions of the CA CAM software prior to version 1.07 Build 220_16, and prior to version 1.11 Build 29_20 included in the following products:
* Advantage Data Transport 3.0
* BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1
* BrightStor Portal 11.1
* CleverPath OLAP 5.1
* CleverPath ECM 3.5
* CleverPath Predictive Analysis Server 2.0, 3.0
* CleverPath Aion 10.0
* eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1
* Unicenter Application Performance Monitor 3.0, 3.5
* Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1
* Unicenter Data Transport Option 2.0
* Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2
* Unicenter Jasmine 3.0
* Unicenter Management for WebSphere MQ 3.5
* Unicenter Management for Microsoft Exchange 4.0, 4.1
* Unicenter Management for Lotus Notes/Domino 4.0
* Unicenter Management for Web Servers 5, 5.0.1
* Unicenter NSM 3.0, 3.1
* Unicenter NSM Wireless Network Management Option 3.0
* Unicenter Remote Control 6.0, 6.0 SP1
* Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5
* Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1
* Unicenter TNG 2.1, 2.2, 2.4, 2.4.2
* Unicenter TNG JPN 2.2
Solution: Apply patch.
CAM v1.11 (prior to Build 29_20):
http://supportconnectw.ca.com/public/...docs/camessagsecurity_cam111fixes.asp
CAM v1.07 (prior to Build 220_16):
http://supportconnectw.ca.com/public/...docs/camessagsecurity_cam107fixes.asp
CAM v1.05 (all versions):
http://supportconnectw.ca.com/public/...docs/camessagsecurity_cam107fixes.asp
Provided and/or discovered by: The vendor credits Nicolas Pouvesle of Tenable Network Security.
Changelog: 2006-02-03: Added CVE reference.
Original Advisory: http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_notice.asp
|