SupportConnect - CA Message Queuing Security Notice
  

CA Message Queuing
Security Notice

Issued: January 30, 2006
Last Updated: February 09, 2006

Attention CA Customers:
Patches Are Now Available To Address CA Message Queuing Vulnerabilities.

The CA Customer Support team would like to thank Nicolas Pouvesle of Tenable Network Security for help in identifying these vulnerabilities.

The following security vulnerability issues have been identified in the CA Message Queuing (CAM / CAFT) software;

  • CAM is vulnerable to a Denial of Service (DoS) attack when a specially crafted message is received on TCP port 4105.
  • CAM is vulnerable to a Denial of Service (DoS) through the spoofing of CAM control messages.

CA has made patches available for all affected products. These patches are independent of the CA Software that installed CAM - simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions. You should also review the product home pages, below, for any additional product specific instructions.

This affects all versions of the CA Message Queuing software prior to v1.07 Build 220_16 and v1.11 Build 29_20 on the specified platforms.

Affected products:

Advantage Data Transport 3.0
BrightStor SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1, 11.5
BrightStor Portal 11.1
CleverPath OLAP 5.1
CleverPath ECM 3.5
CleverPath Predictive Analysis Server 2.0, 3.0
CleverPath Aion 10.0
eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1
Unicenter Application Performance Monitor 3.0, 3.5
Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1
Unicenter Data Transport Option 2.0
Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2
Unicenter Jasmine 3.0
Unicenter Management for WebSphere MQ 3.5
Unicenter Management for Microsoft Exchange 4.0, 4.1
Unicenter Management for Lotus Notes/Domino 4.0
Unicenter Management for Web Servers 5, 5.0.1
Unicenter NSM 3.0, 3.1
Unicenter NSM Wireless Network Management Option 3.0
Unicenter Remote Control 6.0, 6.0 SP1
Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5
Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1
Unicenter TNG 2.1, 2.2, 2.4, 2.4.2
Unicenter TNG JPN 2.2

Affected platforms:

AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare and Windows.

Platforms NOT affected:

AS/400, MVS, NetWare, OS/2 and OpenVMS

Solutions by installed CAM version:

Note: CAM v1.05 will require the CAM v1.07 patch.
CAM v1.07 Build 230 & 231 will require the CAM v1.11 patch.

Links for all CAM versions are supplied below.

CAM v1.11 prior to Build 29_20 and CAM 1.07 build 230 & 231
CAM v1.07 prior to Build 220_16
CAM v1.05 (any version)

CA strongly recommends the application of the appropriate patch listed below.

Download:

Customers wishing to patch their Master Image CD sets should refer to the solution areas on the product home pages.

Frequently Asked Questions (FAQ) related to this security update

Determining CAM Versions

USD/SDO package for the CA Message Queuing vulnerability

UAM/AMO Definitions for the CA Message Queuing vulnerability

Determining CAM versions:

Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.

The example below indicates that CAM version 1.11 build 27 increment 2 is running.

E:\>camstat
CAM – machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16

Determining the CAM install directory:

Windows: the install location is specified by the %CAI_MSQ% environment variable
Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location

UAM/AMO Definitions for the CA Message Queuing vulnerabilities:

The current Unicenter Asset Management r4 Application Definitions revision includes definitions specially designed to assist administrators in detecting the presence of CA Message Queuing vulnerabilities, as well as other CA product vulnerabilities.

Administrators need only download the current revision using the automated download facility. The download facility is located as a link in the Unicenter Asset Management r4 Admin Console at /Asset Management/<DOMAIN_NAME>/Control Panel/Software, as shown in the figure below.

Figure 1

Once downloaded, the specially designed application definitions identifying a vulnerability will include, on the Description Tab, a message similar to the one shown below:

Figure 2

Upon detection of components featuring a warning message, administrators can copy the link from the description into a browser to obtain current instructions on addressing the vulnerabilities detected.

Please note: Administrators that have not already upgraded beyond Application Definitions Revision are required to perform Software Normalization Procedures in order to upgrade to the current revision. For more information on Application Definitions downloads and Normalization Procedures, refer to the required Software Normalization procedures posted at http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=TEC346514.

Should you require additional information, please contact CA Customer Support :
North America (for individual product hotlines)
Internationally (for individual country offices)

 
 
 
Page Tools
printPrint