CA Technologies is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions. The vulnerability occurs due to insufficient input validation. A privileged user can potentially execute arbitrary code or commands. Versions affected include 13.0.3, 13.0.4, 14.0.0, and 14.0.1.
a4714b8adbe4fb471da29bb68b71fdc00d58ffcb406ca48c29511036eec88952
--0000000000006d3d3c05d7228a13
Content-Type: text/plain; charset="UTF-8"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CA20220203-01: Security Notice for CA Harvest Software Change Manager
Issued: February 3rd, 2022
CA Technologies, A Broadcom Company, is alerting customers to a
vulnerability in CA Harvest Software Change Manager. A vulnerability
exists that can allow a privileged user to perform CSV injection
attacks and potentially execute arbitrary code or commands. Note that
this vulnerability is specific to the Harvest Workbench and Eclipse
Plugin interfaces. CA published solutions to address this
vulnerability and recommends that all affected customers implement
these solutions.
The vulnerability, CVE-2022-22689, occurs due to insufficient input
validation. A privileged user can potentially execute arbitrary code
or commands.
Risk Rating
CVE-2022-22689 - High
Platform(s)
Microsoft Windows, Linux, Linux s390x, Apple MacOS
Affected Products
CA Harvest Software Change Manager 13.0.3
CA Harvest Software Change Manager 13.0.4
CA Harvest Software Change Manager 14.0.0
CA Harvest Software Change Manager 14.0.1
Note: older, unsupported versions may be affected
How to determine if the installation is affected
For Harvest Workbench, check for "CA Harvest Software Change Manager
Workbench" release number.
- From Harvest workbench, Click on About > CA Harvest Software
Change Manager Workbench
For 13.0.3 it would be 13.0.3.152
For 13.0.4 it would be 13.0.4.254
For 14.0.0 it would be 14.0.0.369
For 14.0.1 it would be 14.0.0.369
For Eclipse, check for "CA Harvest SCM Team Provider" feature
version.
- From Eclipse, Click on About > About Eclipse IDE >
Installation Details > Features
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a
For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or
13.0.4.254c
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a
For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a
Solution
CA Technologies published the following solutions to address the
vulnerabilities:
Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or
14.0.1.
Fixes are available at https://support.broadcom.com/
13.0.3 APAR 99111332
13.0.4 APAR 99111333
14.0.0 APAR 99111334
14.0.1 APAR 99111356
How to determine if the fix is applied
For Harvest Workbench, check for "CA Harvest SCM Workbench" feature
name.
- From Harvest Workbench, Click on About > CA Harvest Software
Change Manager Workbench > Installation Details > Features
Feature name would be "CA Harvest SCM Workbench-Efix-V0001"
For Eclipse, check for "CA Harvest SCM Team Provider" feature version.
- From Eclipse, Click on About > About Eclipse IDE >
Installation Details > Features
For 13.0.3 it would be 13.0.3.152b
For 13.0.4 it would be 13.0.4.254d
For 14.0.0 it would be 14.0.0.369b
For 14.0.1 it would be 14.0.2.16
References
CVE-2022-22689 - CA Harvest Software Change Manager CSV injection
vulnerability
Acknowledgement
CVE-2022-22689 - Merten Nagel of usd AG
Change History
Version 1.0: 2022-02-03 - Initial Release
CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.
Customers who require additional information about this notice may
contact CA Technologies Support at https://support.broadcom.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT> broadcom.com
Security Notices, PGP key, disclosure policy, and related guidance can
be found at: https://techdocs.broadcom.com/ca-psirt
Regards,
Ken Williams
Vulnerability and Incident Response, Broadcom and CA PSIRT
https://techdocs.broadcom.com/ca-psirt
https://www.broadcom.com/support/resources/product-security-center
ken.williams<AT>broadcom.com | ca.psirt<AT>broadcom.com |
psirt<AT>broadcom.com | Broadcom | broadcom.com
Copyright (c) 2022 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective
companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsFVAwUBYfwyskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74
NfFlXQY5b+Azl8h1z0mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb
HDgfqhpSLwlGgfhDq93H185+1JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr
UK6h03PZWriexDqhNPszSG8+XHVxDBsMVxvIoV7REM83PV9QbBC2Y2506s2NcOsr
zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGCvXNZXvF6v/gmbKwUoj1fLVxr+
B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+mybvr8D1Betjxjqp8fQuN
n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i1b+qlfEMp6v
WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV+DE4
quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbs
PQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf
om/NSIkMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky
9tdZUcfmjEE=
=+rbw
-----END PGP SIGNATURE-----
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
--0000000000006d3d3c05d7228a13
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA51=
2<br><br>CA20220203-01: Security Notice for CA Harvest Software Change Mana=
ger<br><br>Issued: February 3rd, 2022<br><br>CA Technologies, A Broadcom Co=
mpany, is alerting customers to a <br>vulnerability in CA Harvest Software =
Change Manager. A vulnerability <br>exists that can allow a privileged user=
to perform CSV injection <br>attacks and potentially execute arbitrary cod=
e or commands. Note that <br>this vulnerability is specific to the Harvest =
Workbench and Eclipse <br>Plugin interfaces. CA published solutions to addr=
ess this <br>vulnerability and recommends that all affected customers imple=
ment <br>these solutions.<br><br>The vulnerability, CVE-2022-22689, occurs =
due to insufficient input <br>validation.=C2=A0 A privileged user can poten=
tially execute arbitrary code <br>or commands.<br><br><br>Risk Rating<br><b=
r>CVE-2022-22689 - High<br><br><br>Platform(s)<br><br>Microsoft Windows, Li=
nux, Linux s390x, Apple MacOS<br><br><br>Affected Products<br><br>CA Harves=
t Software Change Manager 13.0.3<br>CA Harvest Software Change Manager 13.0=
.4<br>CA Harvest Software Change Manager 14.0.0<br>CA Harvest Software Chan=
ge Manager 14.0.1<br>Note: older, unsupported versions may be affected<br><=
br><br>How to determine if the installation is affected<br><br>For Harvest =
Workbench, check for "CA Harvest Software Change Manager<br>Workbench&=
quot; release number.<br><br>- From Harvest workbench, Click on About > =
CA Harvest Software<br>Change Manager Workbench<br>For 13.0.3 it would be 1=
3.0.3.152<br>For 13.0.4 it would be 13.0.4.254<br>For 14.0.0 it would be 14=
.0.0.369<br>For 14.0.1 it would be 14.0.0.369<br><br>For Eclipse, check for=
"CA Harvest SCM Team Provider" feature <br>version.<br><br>- Fro=
m Eclipse, Click on About > About Eclipse IDE > <br>Installation Deta=
ils > Features<br>For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a<br>Fo=
r 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or<br>13.0.4.=
254c<br>For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a<br>For 14.0.1 it w=
ould be 14.0.0.369 or 14.0.0.369a =C2=A0<br><br><br>Solution<br><br>CA Tech=
nologies published the following solutions to address the <br>vulnerabiliti=
es:<br><br>Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, o=
r <br>14.0.1.<br><br>Fixes are available at <a href=3D"https://support.broa=
dcom.com/">https://support.broadcom.com/</a><br>13.0.3 APAR 99111332<br>13.=
0.4 APAR 99111333<br>14.0.0 APAR 99111334<br>14.0.1 APAR 99111356<br><br><b=
r>How to determine if the fix is applied<br><br>For Harvest Workbench, chec=
k for "CA Harvest SCM Workbench" feature <br>name.<br><br>- From =
Harvest Workbench, Click on About > CA Harvest Software<br>Change Manage=
r Workbench > Installation Details > Features<br><br>Feature name wou=
ld be "CA Harvest SCM Workbench-Efix-V0001"<br><br>For Eclipse, c=
heck for "CA Harvest SCM Team Provider" feature version.<br><br>-=
From Eclipse, Click on About > About Eclipse IDE > <br>Installation =
Details > Features<br>For 13.0.3 it would be 13.0.3.152b<br>For 13.0.4 i=
t would be 13.0.4.254d <br>For 14.0.0 it would be 14.0.0.369b<br>For 14.0.1=
it would be 14.0.2.16<br><br><br>References<br><br>CVE-2022-22689 - CA Har=
vest Software Change Manager CSV injection <br>vulnerability<br><br><br>Ack=
nowledgement<br><br>CVE-2022-22689 - Merten Nagel of usd AG<br><br><br>Chan=
ge History<br><br>Version 1.0: 2022-02-03 - Initial Release<br><br><br>CA c=
ustomers may receive product alerts and advisories by subscribing <br>to Pr=
oactive Notifications on the support site.<br><br>Customers who require add=
itional information about this notice may <br>contact CA Technologies Suppo=
rt at <a href=3D"https://support.broadcom.com/">https://support.broadcom.co=
m/</a><br><br>To report a suspected vulnerability in a CA Technologies prod=
uct, <br>please send a summary to the CA Technologies Product Vulnerability=
<br>Response Team at ca.psirt <AT> <a href=3D"http://broadcom.com">b=
roadcom.com</a><br><br>Security Notices, PGP key, disclosure policy, and re=
lated guidance can <br>be found at: <a href=3D"https://techdocs.broadcom.co=
m/ca-psirt">https://techdocs.broadcom.com/ca-psirt</a><br><br><br>Regards,<=
br>Ken Williams<br>Vulnerability and Incident Response, Broadcom and CA PSI=
RT<br><a href=3D"https://techdocs.broadcom.com/ca-psirt">https://techdocs.b=
roadcom.com/ca-psirt</a><br><a href=3D"https://www.broadcom.com/support/res=
ources/product-security-center">https://www.broadcom.com/support/resources/=
product-security-center</a><br>ken.williams<AT><a href=3D"http://broa=
dcom.com">broadcom.com</a> | ca.psirt<AT><a href=3D"http://broadcom.c=
om">broadcom.com</a> | <br>psirt<AT><a href=3D"http://broadcom.com">b=
roadcom.com</a> | Broadcom | <a href=3D"http://broadcom.com">broadcom.com</=
a><br><br>Copyright (c) 2022 Broadcom. All Rights Reserved. The term "=
Broadcom" <br>refers to Broadcom Inc. and/or its subsidiaries. Broadco=
m, the pulse <br>logo, Connecting everything, CA Technologies and the CA te=
chnologies <br>logo are among the trademarks of Broadcom. All trademarks, t=
rade names, <br>service marks and logos referenced herein belong to their r=
espective <br>companies.<br><br>-----BEGIN PGP SIGNATURE-----<br>Version: E=
ncryption Desktop 10.3.2 (Build 15238)<br>Charset: utf-8<br><br>wsFVAwUBYfw=
yskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74<br>NfFlXQY5b+Azl8h1z0=
mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb<br>HDgfqhpSLwlGgfhDq93H185+1=
JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr<br>UK6h03PZWriexDqhNPszSG8+XHVxDBsM=
VxvIoV7REM83PV9QbBC2Y2506s2NcOsr<br>zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGC=
vXNZXvF6v/gmbKwUoj1fLVxr+<br>B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+myb=
vr8D1Betjxjqp8fQuN<br>n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i=
1b+qlfEMp6v<br>WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV=
+DE4<br>quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbs<br=
>PQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf<br>om/NSI=
kMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky<br>9tdZUcfmjEE=
=3D<br>=3D+rbw<br>-----END PGP SIGNATURE-----<br></div></div>
<br>
<span style=3D"background-color:rgb(255,255,255)"><font size=3D"2">This ele=
ctronic communication and the information and any files transmitted with it=
, or attached to it, are confidential and are intended solely for the use o=
f the individual or entity to whom it is addressed and may contain informat=
ion that is confidential, legally privileged, protected by privacy laws, or=
otherwise restricted from disclosure to anyone else. If you are not the in=
tended recipient or the person responsible for delivering the e-mail to the=
intended recipient, you are hereby notified that any use, copying, distrib=
uting, dissemination, forwarding, printing, or copying of this e-mail is st=
rictly prohibited. If you received this e-mail in error, please return the =
e-mail to the sender, delete it from your computer, and destroy any printed=
copy of it.</font></span>
--0000000000006d3d3c05d7228a13--