Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20180328-01: Security Notice for CA API Developer Portal

Issued: March 28, 2018
Last Updated: March 28, 2018

CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist that can allow a remote attacker to conduct cross-site scripting attacks.

The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns profile picture management which can allow a remote attacker to conduct stored cross-site scripting attacks (CWE-79).

The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns the widgetID variable, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).

The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns how the apiExplorer handles requests, which can allow a remote attacker to conduct reflected cross-site scripting attacks (CWE-79).

Risk Rating

CVE Identifier

Risk Rating

CVE-2018-6586

Medium

CVE-2018-6587

Medium

CVE-2018-6588

Medium

Platform(s)

All supported platforms

Affected Products

CVE Identifier

Affected Product and Releases

CVE-2018-6586

CA API Developer Portal 3.5 GA through and including CR6

CVE-2018-6587

CA API Developer Portal 3.5 GA through and including CR6

CVE-2018-6588

CA API Developer Portal 3.5 GA through and including CR5

*CA API Developer Portal was formerly called CA Layer 7 API Portal

Unaffected Products

CA API Developer Portal 4 and newer releases

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find the product version and then use the table in the Affected Products section to determine if the installation is vulnerable.

Solution

CA Technologies published the following solution to address the vulnerabilities.

CA API Developer Portal 3.5:

Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in this security notice.

CA API Management Solutions & Patches

References

CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS

Acknowledgement

CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas from Biznet Bilisim A.S.

Change History

Version 1.0: 2018-03-28 - Initial Release

 

CA will send a notification about this security notice to customers who are subscribed to CA Technologies’ Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in a CA Technologies product, please send a report to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices