Thread-topic: CA Products' Ingres Implementation Multiple Vulnerabilities
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Sunday, June 24, 2007 5:32 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NEWS] CA Products' Ingres Implementation Multiple
> Vulnerabilities
>
>
> CA Products' Ingres Implementation Multiple Vulnerabilities
>
>
>
> Various CA products that embed Ingres products contain
> multiple vulnerabilities that can allow an attacker to
> potentially execute arbitrary code. CA has issued fixes, to
> address all of these vulnerabilities, for all supported CA
> products that may be affected.
>
>
> Affected Products:
> * Advantage Data Transformer r2.2
> * AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1
> * AllFusion Harvest Change Manager r7, r7.1
> * BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5
> (Unix, Linux and Mainframe Linux)
> * BrightStor ARCserve Backup for Laptops and Desktops r11.5
> * BrightStor Enterprise Backup (Unix only) r10.5
> * BrightStor Storage Command Center r11.5
> * BrightStor Storage Resource Manager r11.5
> * CleverPath Aion Business Rules Expert r10.1
> * CleverPath Aion Business Process Monitoring r10.1
> * CleverPath Predictive Analysis Server r3
> * DocServer 1.1
> * eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2
> * eTrust Audit r8 SP2
> * eTrust Directory r8.1
> * eTrust IAM Suite r8.0
> * eTrust IAM Toolkit r8.0, r8.1
> * eTrust Identity Manager r8.1
> * eTrust Network Forensics r8.1
> * eTrust Secure Content Manager r8
> * eTrust Single Sign-On r7, r8, r8.1
> * eTrust Web Access Control 1.0
> * Unicenter Advanced Systems Management r11
> * Unicenter Asset Intelligence r11
> * Unicenter Asset Management r11
> * Unicenter Asset Portfolio Management r11.2.1, r11.3
> * Unicenter CCS r11
> * Unicenter Database Command Center r11.1
> * Unicenter Desktop and Server Management r11
> * Unicenter Desktop Management Suite r11
> * Unicenter Enterprise Job Manager r1 SP3, r1 SP4
> * Unicenter Job Management Option r11
> * Unicenter Lightweight Portal 2
> * Unicenter Management Portal r3.1.1
> * Unicenter Network and Systems Management r3.0, r11
> * Unicenter Network and Systems Management - Tiered - Multi
> Platform r3.0 0305, r3.1 0403, r11.0
> * Unicenter Patch Management r11
> * Unicenter Remote Control 6, r11
> * Unicenter Service Accounting r11, r11.1
> * Unicenter Service Assure r2.2, r11, r11.1
> * Unicenter Service Catalog r11, r11.1
> * Unicenter Service Delivery r11.0, r11.1
> * Unicenter Service Intelligence r11
> * Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1
> * Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1,
> r11, r11.1, r11.2
> * Unicenter Software Delivery r11
> * Unicenter TNG 2.4, 2.4.2, 2.4.2J
> * Unicenter Workload Control Center r1 SP3, r1 SP4
> * Unicenter Web Services Distributed Management 3.11, 3.50
> * Wily SOA Manager 7.1
>
> Affected Platforms:
> All operating system platforms supported by the various CA
> products that embed Ingres. This includes Windows, Linux, and
> supported UNIX platforms.
>
> 1) Ingres controllable pointer overwrite vulnerability
> (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336,
> CAID 35450]
>
> Description: An unauthenticated attacker can potentially
> execute arbitrary code within the context of the database server.
>
> 2) Ingres remote unauthenticated pointer overwrite #2
> (reported by NGSSoftware) [Ingres bug 115927, CVE-2007-3336,
> CAID 35450]
>
> Description: An unauthenticated attacker can exploit a
> pointer overwrite vulnerability to execute arbitrary code
> within the context of the database server.
>
> 3) Ingres wakeup file overwrite (reported by NGSSoftware)
> [Ingres bug 115913, CVE-2007-3337, CAID 35451]
>
> Description: The "wakeup" binary creates a file named
> "alarmwkp.def" in the current directory, truncating the file
> if it already exists. The "wakeup" binary is setuid "ingres"
> and world-executable. Consequently, an attacker can truncate
> a file with the privileges of the "ingres" user.
>
> 4) Ingres uuid_from_char stack overflow (reported by
> NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452]
>
> Description: An attacker can pass a long string as an
> argument to uuid_from_char() to cause a stack buffer overflow
> and the saved returned address can be overwritten.
>
> 5) Ingres verifydb local stack overflow (reported by
> NGSSoftware) [Ingres bug 115911, CVE-2007-3338, CAID 35452]
>
> Description: A local attacker can exploit a stack overflow in
> the Ingres verifydb utility duve_get_args function.
>
> 6) Communication server heap corruption (reported by
> iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453]
>
> Description: An attacker can execute arbitrary code within
> the context of the communications server (iigcc.exe). This
> only affects Ingres on the Windows operating system. Reported
> by iDefense as IDEF2023.
>
> 7) Data Access/JDBC server heap corruption (reported by
> iDefense) [Ingres bug 117523, CVE-2007-3334, CAID 35453]
>
> Description: An attacker can execute arbitrary code within
> the context of the Data Access server (iigcd.exe) in r3 or
> the JDCB server in older releases. This only affects Ingres
> on the Windows operating system. Reported by iDefense as IDEF2022.
>
> Status and Recommendation:
> CA recommends that customers apply the appropriate fix(es)
> listed on the Security Notice page:
>
> gres_secnotice.asp
>
>
> Additional Information:
> The information has been provided by Williams, James K
> <mailto:James.Williams@xxxxxx> .
> The original article can be found at:
> ?
> cid=145778
>
>
> ==============================================================
> ==================
>
