22688 : CA iGateway Service Content-Length Overflow
Printer | http://osvdb.org/22688 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
7	551	over 4 years ago	about 11 hours ago	2 times	100%

Timeline

Vendor Informed Date	Vendor Ack Date	Disclosure Date	Vendor Solution Date
2005-11-15	2005-11-15	2006-01-23	2006-01-23

Time to Patch
69 days

Description

A remote overflow exists in iGateway. The web server fails to properly validate the Content-Length header, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code to be executed, resulting in a loss of integrity and/or availability.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 4.0.051230 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Computer Associates International, Inc.	BrightStor ARCserve Backup (Windows)	r11
	BrightStor ARCserve Backup	r11.5
	BrightStor ARCserve Backup	r11.1
	BrightStor Enterprise Backup	10.5
	BrightStor Process Automation Manager	r11.1
	BrightStor SAN Manager	r11.1
	BrightStor SAN Manager	r11.5
	BrightStor Storage Resource Manager	r11.5
		r11.1
		6.4
		6.3
	BrightStor Portal	11.1
	eTrust Audit	1.5 SP2
		1.5 SP3
		8.0
	eTrust Admin	8.1
	eTrust Identity Minder	8.0
	eTrust Secure Content Manager (SCM)	r8
	eTrust Integrated Threat Management (ITM)	r8
	eTrust Directory	R8.1
	Unicenter CA Web Services Distributed Management	r11.1
	Unicenter AutoSys JM	r11
	Unicenter Management for WebLogic	r11
	Unicenter Management for WebSphere	r11
	Unicenter Service Delivery	r11
	Unicenter Service Level Management (USLM)	r11
	Unicenter Application Performance Monitor	r11
	Unicenter Service Desk	r11
	Unicenter Service Desk Knowledge Tools	r11
	Unicenter Asset Portfolio Management	r11
	Unicenter Service Catalog/Fulfillment/Accounting	r11
	Unicetner MQ Management	r11
	Unicenter Application Server Management	r11
	Unicenter Web Server Management	r11
	Unicenter Exchange Management	r11
	Service Metric Analysis	r11
	ARCserve Backup	9.01
	BrightStor ARCServe Backup for Laptops &amp;amp;amp;amp;amp; Desktops	r11.1
	BrightStor ARCServe Backup for Laptops &amp;amp;amp;amp;amp; Desktops	r11

References

Security Tracker: 1015526
Bugtraq ID: 16354
Secunia Advisory ID: 18591
CVE ID: 2005-3653 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0794.html
Vendor URL: http://ca.com/
Vendor Specific Advisory URL: http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_notice.asp
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778
Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376

Tools & Filters

	20805

Manual Testing Notes

Credit

Erika Mendoza

CVSSv2 Score

We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Description

Classification

Solution

Products

Computer Associates International, Inc.

BrightStor ARCserve Backup (Windows)

BrightStor ARCserve Backup

BrightStor Enterprise Backup

BrightStor Process Automation Manager

BrightStor SAN Manager

BrightStor Storage Resource Manager

BrightStor Portal

eTrust Audit

eTrust Admin

eTrust Identity Minder

eTrust Secure Content Manager (SCM)

eTrust Integrated Threat Management (ITM)

eTrust Directory

Unicenter CA Web Services Distributed Management

Unicenter AutoSys JM

Unicenter Management for WebLogic

Unicenter Management for WebSphere

Unicenter Service Delivery

Unicenter Service Level Management (USLM)

Unicenter Application Performance Monitor

Unicenter Service Desk

Unicenter Service Desk Knowledge Tools

Unicenter Asset Portfolio Management

Unicenter Service Catalog/Fulfillment/Accounting

Unicetner MQ Management

Unicenter Application Server Management

Unicenter Web Server Management

Unicenter Exchange Management

Service Metric Analysis

ARCserve Backup

BrightStor ARCServe Backup for Laptops &amp;amp;amp;amp;amp;amp; Desktops