SupportConnect - CA Message Queuing Security Notice

CA Message Queuing
Security Notice

Issued: August 19, 2005
Last Updated: August 26, 2005

Attention CA Customers:
Patches Are Now Available To Address CA Message Queuing Vulnerabilities.

The CA Customer Support team has recently become aware of several vulnerability issues in the CA Message Queuing (CAM / CAFT) software:

  • The CAM TCP port is potentially vulnerable to a Denial of Service (DoS) attack.
  • Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with elevated privileges.
  • Potential to launch a spoof CAFT and allow arbitrary commands to be executed with elevated privileges.

CA has made patches available for all affected users.

This affects the following versions of the CA Message Queuing software:

v1.07 - all builds prior to 220_13
v1.11 - all builds prior to 29_13

v1.07 - builds 230 & 231 are also affected. Users of this build should use the v1.11 security fix to upgrade CAM to a secure version.

Affected products:

AdviseIT 2.4
Advantage™ Data Transport 3.0
BrightStor® SAN Manager 1.1, 1.1 SP1, 1.1 SP2, 11.1
BrightStor® Portal 11.1
CleverPath™ OLAP 5.1
CleverPath™ ECM 3.5
CleverPath™ Predictive Analysis Server 3.0
eTrust™ Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1
Unicenter Performance Management for OpenVMS r2.4 SP3
Unicenter® Application Performance Monitor 3.0, 3.5
Unicenter® Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1
Unicenter® Data Transport Option 2.0
Unicenter® Enterprise Job Manager 1.0 SP1, 1.0 SP2
Unicenter® Jasmine 3.0
Unicenter® Management for WebSphere MQ 3.5
Unicenter® Management for Microsoft Exchange 4.0, 4.1
Unicenter® Management for Lotus Notes/Domino 4.0
Unicenter® Management for Web Servers 5, 5.0.1
Unicenter® NSM 3.0, 3.1
Unicenter® NSM Wireless Network Management Option 3.0
Unicenter® Remote Control 6.0, 6.0 SP1
Unicenter® Service Level Management 3.0, 3.0.1, 3.0.2, 3.5
Unicenter® Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1
Unicenter® TNG 2.1, 2.2, 2.4, 2.4.2
Unicenter® TNG JPN 2.2

Affected platforms:

AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare, Windows, Apple Mac, AS/400, MVS, NetWare, OS/2 and OpenVMS.

Platforms NOT affected:

None.

Solutions by installed CAM version:

Note: CAM v1.05 will require the CAM v1.07 patch.
  CAM v1.07 Build 230 & 231 will require the CAM v1.11 patch.

Links for all CAM versions are supplied below.

Fixes for CAM v1.11 prior to Build 29_13 and CAM 1.07 build 230 & 231
Fixes for CAM v1.07 prior to Build 220_13 and CAM v1.05 (any version)

CA strongly recommends the application of the appropriate patch.

Download:

Customers wishing to patch their Master Image CD sets should refer to the solution areas on the product home pages.

Frequently Asked Questions (FAQ) related to this security update

USD/SDO package for the CA Message Queuing vulnerability

UAM/AMO Definitions for the CA Message Queuing vulnerability

Determining CAM versions:

Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.

The example below indicates that CAM version 1.11 build 27 increment 2 is running.

E:\>camstat
CAM - machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16

Determining the CAM install directory:

Windows: the install location is specified by the %CAI_MSQ% environment variable
Unix/Linux/Mac: the /etc/catngcampath text file holds the CAM install location

Should you require additional information, please contact CA Customer Support:
North America (for individual product hotlines)
Internationally (for individual country offices)