Issued: August 29, 2018
Last Updated: August 29, 2018
CA Technologies Support is alerting customers to a potential risk with CA Release Automation. A vulnerability exists that can allow an attacker to potentially execute arbitrary code.
The vulnerability, CVE-2018-15691, has a high risk rating and concerns insecure deserialization of a specially crafted serialized object, which can allow an attacker to potentially execute arbitrary code.
All supported platforms
CA Release Automation 6.3
CA Release Automation 6.4
CA Release Automation 6.5
Note: older, unsupported releases may be affected.
CA Release Automation 6.6
CA Release Automation 18.104.22.16845 or later
CA Release Automation 22.214.171.12419 or later
CA Release Automation 126.96.36.19980 or later
How to determine if the installation is affected
Check the build number with the Help->About menu option, or determine which fixes are applied by looking at the Fix_Maintenance directory.
CA Technologies published the following solutions to address the vulnerabilities.
CA Release Automation 6.3:
Apply Cumulative Fix build 9945 or later.
CA Release Automation 6.4:
Apply Cumulative Fix build 10119 or later.
CA Release Automation 6.5:
Apply Cumulative Fix build 10080 or later.
CVE-2018-15691 - CA Release Automation deserialization vulnerability
CVE-2018-15691 - Jakub Palaczynski and Maciej Grabiec
Version 1.0: 2018-08-29 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.