CA has become aware of two vulnerabilities in the CA Message Queuing

(CAM / CAFT) software distributed with some CA products that makes them susceptible to Denial-of-Service (DOS) attacks.

(PresseBox) ( Darmstadt, )
Patches are now available and CA recommends all customers install the patch as soon as possible. Details of the vulnerability follow:

What is the vulnerability:
The following security vulnerability issues have been identified in the CA Message Queuing (CAM / CAFT) software; CAM is vulnerable to a Denial of Service (DoS) attack when a specially crafted message is received on TCP port 4105.
CAM is vulnerable to a Denial of Service (DoS) through the spoofing of CAM control messages. For clarity; CAM is a messaging sub-component which provides a "store and forward"
messaging framework for applications. A number of CA applications now use CAM for their messaging requirements. CAFT is an application, supplied with CAM, which utilises CAM for file transfers. CAFT is driven by messages it receives from CAM enabled applications. A full list of affected CA products may be found below.

What is the potential impact:
The vulnerability may be exploited causing a Denial of Service attack (loss of functionality) on the affected platform. CAM/CAFT is a common component of various CA products (refer list below) which are normally deployed behind a corporate firewall. Therefore this vulnerability is NOT regarded as having the potential to cause widespread problems for independent machines deployed on the general internet.

What is the status of this vulnerability:
CA has made patches available for all affected products. These patches are independent of the CA Software that installed CAM - simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions. You should also review the product home pages, below, for any additional product specific instructions .

What products and versions are affected:
This affects all versions of the CA Message Queuing software prior to
v1.07 Build 220_16 and v1.11 Build 29_20 on the specified platforms.
Affected products:
Advantage Data Transport 3.0
BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected platforms:
AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare and Windows.
Platforms NOT affected:
AS/400, MVS, NetWare, OS/2 and OpenVMS

What does CA recommend:
CA strongly recommends the application of the appropriate patch listed below.
Download: http://supportconnectw.ca.com/public/ca_common_docs/camessagsecurity_
notice.asp
Customers wishing to patch their Master Image CD sets should refer to the solution areas on the product home pages (please see http://supportconnectw .ca.com/main.asp).

How to determine CAM versions:
Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.
Für die oben stehenden Pressemitteilungen, das angezeigte Event bzw. das Stellenangebot sowie für das angezeigte Bild- und Tonmaterial ist allein der jeweils angegebene Herausgeber (siehe Firmeninfo bei Klick auf Bild/Meldungstitel oder Firmeninfo rechte Spalte) verantwortlich. Dieser ist in der Regel auch Urheber der Pressetexte sowie der angehängten Bild-, Ton- und Informationsmaterialien.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an service@pressebox.de.