SupportConnect - CA License - Security Notice

CA License
Security Notice

Issued: March 02, 2005
Last Updated: March 17, 2005

Attention CA Customers:
License Patches Are Now Available To Address Buffer Overflows

Working closely with eEye Digital Security® and iDEFENSE, the CA Customer Support team has resolved multiple vulnerability issues recently discovered in the CA License software. Both eEye and iDEFENSE have confirmed that these vulnerabilities have been properly addressed. CA has made patches available to any affected license users.

Select Language

Deutsch
Français
Español
Japanese (日本語)
Korean (한국어)
Simplified Chinese (中文)
Traditional Chinese(繁體中文)
Italiano
Português

Buffer overflow conditions can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges. This affects versions of the CA License software v1.53 through v1.61.8 on the specified platforms. Customers with these vulnerable versions should upgrade to CA License 1.61.9 or higher. CA License patches that address these issues can be downloaded from http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp.

CA strongly recommends the application of the appropriate CA License patch.

Frequently Asked Questions (FAQ) related to this security update
Utility for checking server vulnerability
USD/SDO package for the CA License vulnerability
UAM/AMO Definitions for the CA License vulnerability

Known issues:

Windows NT 4.0

Affected products:

The vulnerability exists if the CA License package version on the system is between v1.53 and v1.61.8.

Affected platforms:

AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac.

Determining CA License versions:

  1. Obtain the CA License package version:

    Windows: The CA license package version can be obtained by checking the file version of lic98version.exe. Right click on lic98version.exe, choose Properties, and then select the Version tab.

    Unix/Linux/Mac: Run lic98version from a command prompt to print out the version number and/or write it to lic98version.log.

OR

  1. Obtain the version of the vulnerable file:

    If the lic98version file does not exist on the system (which may be the case with older versions of the license package), check the version of the affected file itself:

    Windows: Obtain the version of lic98rmt.exe by right-clicking on the file, choosing Properties, and then selecting the Version tab. The vulnerability exists if the version is between 0.1.0.15 and 1.4.6.

    Unix/Linux/Mac: Run strings licrmt | grep BUILD from a command prompt. The following string format will be returned: "LICAGENT BUILD INFO = /x.x.x/Apr 16 2003/17:13:35", Where x.x.x is the file version. The vulnerability exists if this file version is between v1.0.15 thru v1.4.6.

Note the following default license install directories:
Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC
Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic

Should you require additional information, please contact CA Customer Support:
North America (for individual product hotlines)
Internationally (for individual country offices)