CA20111208-01: Security Notice for CA SiteMinder

Today we published a security notice and fixes to address a medium risk, publicly known vulnerability in CA SiteMinder. The vulnerability, CVE-2011-4054,
occurs due to insufficient validation of postpreservationdata parameter input
utilized in the login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser. Vulnerability details were first publicized by CERT on 2011-12-07 in US-CERT Vulnerability Note VU#713012 – CA Siteminder login.fcc form xss vulnerability. We are not aware of any active exploitation, and due to the lower risk, we do not anticipate any widespread exploitation. Note that fixes are currently available only for SiteMinder R12. Fixes for SiteMinder R6 should be available in January 2012.

CA20111208-01: Security
Notice for CA SiteMinder

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A7DA8AC2-E9B4-4DDE-B828-098E0955A344}

Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com

 

The opinions and statements on this site are my own and do not necessarily reflect the opinions or policies of CA Technologies.

The following two tabs change content below.

Ken Williams

Ken Williams is a Director with the CA Vulnerability Research Team. As a veteran vulnerability researcher, Ken has worked as the Director of the CA Vulnerability Research Team and eVM Research Team, Director of Vulnerability Research at eSecurityOnline, Manager of the Vulnerability Research Team at Ernst & Young, and founder of Packet Storm Security.

This article has 3 comments

  1. Does this vulnerability apply to stepupauth.fcc (contains postpreservationdata) used by the GD Step-up authentication module

  2. Thank you for the question Ed. I’m investigating this issue. If you would like to be updated directly about progress of this issue, please send your contact info to vuln@ca.com

  3. Update: We have investigated and determined that stepupauth.fcc is not vulnerable.

Leave a Reply