Important Security Notice for CA CleverPath
and Embedded Portal Customers

Last Updated: December 19, 2006

CA Technical Support is alerting customers to a potential vulnerability issue in our Portal technology. This deficiency exists in our CleverPath Portal solution as well as other CA solutions that embed this Portal technology. Customers are advised to review this entire document to determine whether they are affected.

Problem

CleverPath Portal environments that are configured with multiple Portal servers sharing a common data store could possibly experience a security issue. The effect is a user who connects through one Portal server could conceivably inherit the Portal session and associated security authentication of a user running on another Portal server.

Scope

This problem only occurs when multiple Portal servers are sharing a common data store and two of the Portal servers are started at exactly the same time. Typically customers will have deployed multiple Portal servers in this type of configuration to exploit high-availability failover and load balancing.

A multi CleverPath Portal server environment is not a default deployment, but it is configurable post installation.

None of the CA solutions that embed the Portal technology install into this scenario or offer a multiple Portal server environment as a configurable option. However, it is conceivable that a knowledgeable administrator could have modified an embedded Portal environment to leverage multiple Portal servers.

How to Determine if You are Affected

Affected Portal installations must meet both of the following criteria:

1. You are not at Portal maintenance version 4.71.001_179_060830 or higher. To determine your portal version:
   1. Login as a Portal Administrator.
   2. Choose My Profile from the upper right-hand portion of the main workplace.
   3. Click on the Portal Administration link.
   4. The Portal version will be displayed in the right-hand pane under Statistics.
2. You are running CA's Portal technology in a multi-server environment. To determine if you are running a multi-server environment:
   1. Login as a Portal Administrator.
   2. Choose My Profile from the upper right-hand portion of the main workplace.
   3. Click on the Portal Administration link.
   4. If the Jump to Portal menu appears in the left Portal Administration pane, you are using a multiple-server environment.

If you do not see the "Jump to Portal" section, then Portal is not running in a multi-server environment and is not affected by this vulnerability.

Risk Assessment

Research performed by CA Technical Support indicates that the prospects of a CleverPath Portal customer experiencing this vulnerability are low even for customers who use a multi-server environment. It is even less probable that an embedded Portal customer would come across this problem.

Although the likelihood of our customers being affected by this vulnerability is low, it is possible none the less. When the problem does occur, security authentication is severely compromised. Therefore, CA Technical Support strongly recommends affected customers take counteractive measures as soon as possible.

Affected Platforms

All operating system platforms supported by our Portal technology. This includes Windows, Linux and supported UNIX platforms.

Remediation

The most prudent course of action for affected customers is to download and apply the corrective maintenance. If the maintenance cannot be applied right away CA Technical Support recommends implementing interim operational process controls to ensure that when multiple Portal servers are sharing a common data store that the server start times are duly staggered by at least one minute.

Potentially Affected CA Solutions

Please review How to Determine if You are Affected before downloading and applying the maintenance below. Most customers using CleverPath Portal or CA's embedded Portal technology will not be affected by this vulnerability.

BrightStor Portal r11.1 -> Download
CleverPath Aion BPM r10 -> Download
CleverPath Aion BPM r10.1 -> Download
CleverPath Aion BPM r10.2 -> Download
CleverPath Portal r4.51 -> Download
CleverPath Portal r4.7 -> Download
CleverPath Portal r4.71 -> Download
eTrust Security Command Center r1 -> Download
eTrust Security Command Center r8 -> Download
Unicenter Asset and Portfolio Management r11 -> Download
Unicenter Database Management Portal r11 -> Download
Unicenter Database Command Center r11.1 -> Download
Unicenter Enterprise Job Manager r1 SP3 -> Download
Unicenter Workload Control Center r1 SP4 -> Download
Unicenter Management Portal r2.0 -> Download
Unicenter Management Portal r3.1 -> Download
Unicenter Management Portal r11.0 -> Download