-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20180829-01: Security Notice for CA PPM Issued: August 29, 2018 Last Updated: August 29, 2018 CA Technologies Support is alerting customers to multiple potential risks with CA PPM (formerly CA Clarity PPM). Multiple vulnerabilities exist that can allow an attacker to conduct a variety of attacks. The first vulnerability, CVE-2018-13822, has a medium risk rating and concerns an SSL password being stored in plain text, which can allow an attacker to access sensitive information. The second vulnerability, CVE-2018-13823, has a high risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to access sensitive information. The third vulnerability, CVE-2018-13824, has a high risk rating and concerns two parameters that fail to properly sanitize input, which can allow a remote attacker to execute SQL injection attacks. The fourth vulnerability, CVE-2018-13825, has a high risk rating and concerns improper input validation by the gridExcelExport functionality, which can allow a remote attacker to execute reflected cross-site scripting attacks. The fifth vulnerability, CVE-2018-13826, has a medium risk rating and concerns an XML external entity vulnerability in the XOG functionality, which can allow a remote attacker to conduct server side request forgery attacks. Risk Rating Cumulative risk rating: High Platform(s) All supported platforms Affected Products CA PPM 14.3 and below CA PPM 14.4 CA PPM 15.1 CA PPM 15.2 CA PPM 15.3 Unaffected Products CA PPM 15.2 with appropriate patch level listed in Solution section of this document. CA PPM 15.3 with appropriate patch level listed in Solution section of this document. CA PPM 15.4 CA PPM 15.4.1 How to determine if the installation is affected Customers can use the CA PPM Classic interface to find the release and patch level by clicking on "About" in the upper right corner of any screen. Solution CA Technologies published the following solutions to address the vulnerabilities. CA PPM 15.3: Apply 15.3.Cumulative Patch 3 (15.3.0.3) or later. CA PPM 15.2: Apply 15.2 Cumulative Patch 6 (15.2.0.6) or later. CA PPM 15.1: Please contact CA Technologies Support for assistance. Note that CA PPM 15.1 will reach End of Service (EOS) on April 30, 2019. CA PPM 14.4: Please contact CA Technologies Support for assistance. Note that CA PPM 14.4 will reach End of Service (EOS) on October 31, 2018. CA PPM 14.3 and below: As you plan your upgrade to the latest release, please feel free to contact CA Technologies Support should you have any questions. References CVE-2018-13822 - CA PPM unencrypted SSL password CVE-2018-13823 - CA PPM XXE in XOG info disclosure CVE-2018-13824 - CA PPM SQL injection CVE-2018-13825 - CA PPM gridExcelExport Reflected XSS CVE-2018-13826 - CA PPM XXE in XOG SSRF Acknowledgement CVE-2018-13822 - Piotr Domirski CVE-2018-13823 - Piotr Domirski CVE-2018-13824 - Piotr Domirski CVE-2018-13825 - Piotr Domirski CVE-2018-13826 - Piotr Domirski Change History Version 1.0: 2018-08-29 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Ken Williams Vulnerability Response Director, Product Vulnerability Response Team CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022 Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBW4llorlJjor7ahBNAQh0XxAAgxdkwPjBI22xUdXwFHcVWec/qQWX/25B h/MNN8HdlwKL3IV0MCnncHFaHkoGbQAhtyo5wyY9ql2GCBKUiLYNtDdXrBg1AlTw MrgJnW0FkxiDvt90mIuWITkCF52sBVvoCCHfFvH781Z1PYlmThmcrf4Pc3kXunIs a/pD9JMnBKBQEYUmdSHddqZ58pia+mYGlJY0b9fcNkYzqaMYx2QFh7TFeSq0wf1D tZPQ7XOu69hOA2pE6/9XHqN5DyRk4rEXaTLHMNN+i9DXB1+aXdLNBAlnuSWi3hVU oHtz8VULoVNrYZygcMOnQz9HusJcH8XaIv8hurqObzH5n3RsrGlvDM/9SxYaVE/j m8x2yuiOBFQLO2elCnr2xEe9Qsrmkak8c8Ddkuc9e9mxas5ss1wdE/j5rpOzYIwG QzJD+7nznBvAR8NG/jSVFMYu/M6zDmseKE0tPYHy8oDAV8VOhuoOJ05OoXWVnuc3 BXFfrWxdb6+C831QUs5HEuPfdETJPsUmZE4cGjeesVmInX7X729rtXDX/IIYQBli 3K+TFtxyMCmhAaNgRWt4Kgfv2v+WSEvVV1S9ivowrrDb+5KxnKqx2ib/+ZVJ2jhP jj8p6bOKSlFqpU8mR767oNwslsIO4bBDvFsT4UO4bwSmxiwbSjwbHkIuAdXG0dCL MRY2J0rRxzQ= =TW4m -----END PGP SIGNATURE-----