-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20111208-01: Security Notice for CA SiteMinder Issued: December 08, 2011 Updated: August 22, 2012 CA Technologies Support is alerting customers to a potential risk in CA SiteMinder, CA Federation Manager, CA SOA Security Manager, CA SiteMinder Secure Proxy Server, and CA SiteMinder SharePoint Agent. A vulnerability exists that can allow a malicious user to execute a reflected cross site scripting (XSS) attack. CA Technologies has issued patches to address the vulnerability. The vulnerability, CVE-2011-4054, occurs due to insufficient validation of postpreservationdata parameter input utilized in the login.fcc form. A malicious user can submit a specially crafted request to effectively hijack a victim's browser. Risk Rating Medium Platform All Affected Products CA SiteMinder R6 SP6 CR7 and earlier CA SiteMinder R12 SP3 CR8 and earlier CA Federation Manager 12.1 SP3 and earlier CA SOA Security Manager 12.1 SP3 and earlier CA SiteMinder Secure Proxy Server 12.0 SP3 and earlier CA SiteMinder Secure Proxy Server 6.0 SP3 and earlier CA SiteMinder SharePoint Agent 12.0 SP3 and earlier Non-Affected Products CA SiteMinder R6 SP6 CR8 CA SiteMinder R12 SP3 CR9 CA Federation Manager 12.1 SP3 CR00.1 CA SOA Security Manager 12.1 SP3 CR01.1 CA SiteMinder Secure Proxy Server 12.0 SP3 CR01.1 CA SiteMinder Secure Proxy Server 6.0 SP3 CR07.1 CA SiteMinder SharePoint Agent 12.0 SP3 CR0.1 How to determine if the installation is affected Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. Solution CA has issued patches to address the vulnerability. CA SiteMinder R6: Upgrade to R6 SP6 CR8 or later CA SiteMinder R12: Upgrade to R12 SP3 CR9 or later CA Federation Manager 12.1 SP3: Apply fix RS47435 CA SOA Security Manager 12.1 SP3: Apply fix RS47436 CA SiteMinder Secure Proxy Server 12.0 SP3: Apply fix RS47431 CA SiteMinder Secure Proxy Server 6.0 SP3: Apply fix RS47432 CA SiteMinder SharePoint Agent 12.0 SP3: Apply fix RS47433 CR releases can be found on the CA SiteMinder Hotfix/Cumulative Release page (URL may wrap): https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E 29-C3DE-405E-9151-9EEA72D965CE}. Workaround None References CVE-2011-4054 - CA SiteMinder login.fcc XSS Acknowledgement CVE-2011-4054 - Jon Passki of Aspect Security, via CERT Change History Version 1.0: Initial Release Version 1.1: Updated R6 fix information Version 1.2: Added information for Federation Manager, SOA Security Manager, SiteMinder Secure Proxy Server, SiteMinder SharePoint Agent If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations wilja22@ca.com -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFQO7sGeSWR3+KUGYURAvlVAJwNzRfo5NORDDMQhau8SfLHOGnMqACfYEfY xM1DGynkf5e0fdgSVhvVYGM= =JTJo -----END PGP SIGNATURE-----