License Patches Are Now Available To Address Buffer Overflows

["Williams, James K" <James.Williams () ca com>]

CA License Security Notice

Attention CA Customers:
License Patches Are Now Available To Address Buffer Overflows

Working closely with eEye Digital Security® and iDEFENSE, the 
CA Technical Support team has resolved multiple vulnerability
issues recently discovered in the CA License software. Both 
eEye and iDEFENSE have confirmed that these vulnerabilities 
have been properly addressed. CA has made patches available 
to any affected license users. 

Buffer overflow conditions can potentially allow arbitrary 
code to be executed remotely with local SYSTEM privileges. 
This affects versions of the CA License software v1.53 
through v1.61.8 on the specified platforms. Customers with 
these vulnerable versions should upgrade to CA License 1.61.9
or higher. CA License patches that address these issues can 
be downloaded from the link below.

http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp 

CA strongly recommends the application of the appropriate CA
License patch. 

Affected products: 

The vulnerability exists if the CA License package version 
on the system is between v1.53 and v1.61.8. 

Affected platforms: 

AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows 
and Apple Mac. 

Determining CA License versions: 

1. Obtain the CA License package version: 

Windows: The CA license package version can be obtained by 
checking the file version of lic98version.exe.  Right click 
on lic98version.exe, choose Properties, and then select the 
Version tab. 

Unix/Linux/Mac: Run lic98version from a command prompt to 
print out the version number and/or write it to 
lic98version.log. 

OR 

2. Obtain the version of the vulnerable file: 

If the lic98version file does not exist on the system (which 
may be the case with older versions of the license package), 
check the version of the affected file itself: 

Windows: Obtain the version of lic98rmt.exe by right-clicking 
on the file, choosing Properties, and then selecting the 
Version tab. The vulnerability exists if the version is 
between 0.1.0.15 and 1.4.6. 

Unix/Linux/Mac - Run strings licrmt | grep BUILD from a 
Command prompt.  The following string format will be returned: 
"LICAGENT BUILD INFO = /x.x.x/Apr 16 2003/17:13:35", Where 
x.x.x is the file version.  The vulnerability exists if this 
file version is between v1.0.15 thru v1.4.6. 

Note the following default license install directories: 
Windows: C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC 
Unix/Linux/Mac: /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic

Should you require additional information, please contact
CA Technical Support at http://supportconnect.ca.com.

Select Language for translations of this advisory:
English: http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
Deutsch: http://www.ca.com/de/support/security_notice.htm
Français: http://www.ca.com/france/notification_securite.htm
Español: http://www.ca.com/es/local/security_notice.htm
Japanese (日本語): http://www.casupport.jp/resources/info/050301security_notice.htm
Chinese (中文): http://www.ca.com.cn/press/releases/2005/03/security_notice.htm
Italiano: http://www.ca.com/it/security_notice.htm/
Português: http://www.ca.com/br/security_notice.htm

Computer Associates International, Inc. (CA). 
One Computer Associates Plaza. Islandia, NY 11749
        
Contact Us http://ca.com/catalk.htm
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://ca.com
© 2005 Computer Associates International, Inc. 
All rights reserved     

--
kw

Ken Williams ; Vulnerability Research
Computer Associates ; james.williams () ca com
A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985