CA Technologies Support is alerting customers to multiple potential risks with CA eHealth. Two vulnerabilities exist in the web interface, CVE-2016-6151 and CVE-2016-6152, that can allow a remote authenticated attacker to cause a denial of service condition or possibly execute arbitrary commands. CA technologies assigned a High risk rating to these vulnerabilities. CA has a solution available. The title of this CA eHealth Security Notice is CA20160721-01.
|CVE Identifier||Risk||Vulnerable Releases|
|CVE-2016-6152||High||6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x|
CA eHealth 6.2.x, 6.3.0.x, 6.3.1.x, 6.3.2.x
How to determine if the installation is affected
Customers may check the build number by running the nhShowRev command
If the installed product Fix build is less than the release in the below table, the installation is vulnerable.
|Product release||Fix build|
|CA eHealth 6.2.x, 6.3.x||220.127.116.11|
For all releases of CA eHealth, update to version 18.104.22.168 or later to resolve these vulnerabilities.
CVE-2016-6151 - CA eHealth 6.2.x remote denial of service/command execution
CVE-2016-6152 - CA eHealth 6.2.x, 6.3.x remote denial of service/command execution
CVE-2016-6151, CVE-2016-6152 - Ben Lincoln, NCC Group
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.