CA20160721-01: Security Notice for CA eHealth

Document ID : KB000045709
Last Modified Date : 14/02/2018
Show Technical Document Details

Intruduction

CA Technologies Support is alerting customers to multiple potential risks with CA eHealth. Two vulnerabilities exist in the web interface, CVE-2016-6151 and CVE-2016-6152, that can allow a remote authenticated attacker to cause a denial of service condition or possibly execute arbitrary commands. CA technologies assigned a High risk rating to these vulnerabilities. CA has a solution available. The title of this CA eHealth Security Notice is CA20160721-01.

Risk Rating

CVE IdentifierRiskVulnerable Releases
CVE-2016-6151High6.2.x
CVE-2016-6152High6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x

Platform(s)

All

Affected Products

CA eHealth 6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x

How to determine if the installation is affected

Customers may check the build number by running the nhShowRev command

If the installed product Fix build is less than the release in the below table, the installation is vulnerable.

Product releaseFix build
CA eHealth 6.2.x, 6.3.x6.3.2.13

Solution

For all releases of CA eHealth, update to version 6.3.2.13 or later to resolve these vulnerabilities.

References

CVE-2016-6151 - CA eHealth 6.2.x remote denial of service/command execution
CVE-2016-6152 - CA eHealth 6.2.x, 6.3.x remote denial of service/command execution

Acknowledgement

CVE-2016-6151, CVE-2016-6152 - Ben Lincoln, NCC Group

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.