Title: CA Products That Embed Ingres Multiple Vulnerabilities
CA Advisory Date: 2008-08-01
Reported By: iDefense Labs
Impact: A remote attacker can execute arbitrary code, gain
privileges, or cause a denial of service condition.
Summary: CA products that embed Ingres contain multiple
vulnerabilities that can allow a remote attacker to execute
arbitrary code, gain privileges, or cause a denial of service
condition. These vulnerabilities exist in the products and on the
platforms listed below. These vulnerabilities do not impact any
Windows-based Ingres installation. The first vulnerability,
CVE-2008-3356, allows an unauthenticated attacker to potentially
set the user and/or group ownership of a verifydb log file to be
Ingres allowing read/write permissions to both. The second
vulnerability, CVE-2008-3357, allows an unauthenticated attacker
to exploit a pointer overwrite vulnerability to execute arbitrary
code within the context of the database server process. The third
vulnerability, CVE-2008-3389, allows an unauthenticated attacker
to obtain ingres user privileges. However, when combined with the
unsecured directory privileges vulnerability (CVE–2008-3357), root
privileges can be obtained.
Mitigating Factors: These vulnerabilities do not impact any
Windows-based Ingres installation.
Severity: CA has given these vulnerabilities a High risk rating.
Affected Products:
Admin r8.1 SP2
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3
CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
CleverPath Aion BPM r10.1, r10.2
EEM 8.1, 8.2, 8.2.1
eTrust Audit/SCC 8.0 sp2
Identity Manager r12
NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11
Unicenter Asset Management r11.1, r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r2.2, r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2
Unicenter Software Delivery r11.1, r11.2
Unicenter Workload Control Center r11
Affected Platforms:
Status and Recommendation:
The most prudent course of action for affected customers is to
download and apply the corrective maintenance. However, updates
are provided only for the following releases: 2.6 and r3
Important: Customers using products that embed an earlier version
of Ingres r3 should upgrade Ingres to the release that is
currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX
platforms) before applying the maintenance updates. Please contact
your product's Technical Support team for more information.
For these products:
Admin r8.1 SP2
CA ARCserve Backup for Linux r11.5 SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
EEM 8.2
EEM 8.2.1
Identity Manager r12
NSM r11
Unicenter Asset Management r11.1
Unicenter Asset Management r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk r11
Unicenter ServicePlus Service Desk r11.1
Unicenter ServicePlus Service Desk r11.2
Unicenter Software Delivery r11.1
Unicenter Software Delivery r11.2
Unicenter Workload Control Center r11
Apply the update below that is listed for your platform (note that
URLs may wrap):
AIX [3.0.3 (r64.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12833-r64-us5.tar.z
HP-UX Itanium [3.0.3 (i64.hpu/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12831-i64-hpu.tar.z
HP-UX RISC [3.0.3 (hp2.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12830-hp2-us5.tar.z
Linux AMD [3.0.3 (a64.lnx/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12835-a64-lnx.tar.z
Linux Intel 32bit [3.0.3 (int.lnx/103)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.103.12836-int-lnx.tar.z
Linux Itanium [3.0.3 (i64.lnx/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12838-i64-lnx.tar.z
Solaris SPARC [3.0.3 (su9.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12834-su9-us5.tar.z
Solaris x64/x86 [3.0.3 (a64.sol/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12832-a64-sol.tar.z
Ingres r3 Vulnerability Updates Install Steps (August 1, 2008)
Unix/Linux:
For these products:
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
ARCserve for Linux r11.5 GA/SP1
CleverPath Aion BPM r10.1
CleverPath Aion BPM r10.2
Apply the build below that is listed for your platform (note that
URLs may wrap):
AIX
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12833-r64-us5.tar
HP-UX Itanium
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12831-i64-hpu.tar
HP-UX RISC
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12830-hp2-us5.tar
Linux AMD EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-x86_64.tar.gz
Linux AMD II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-x86_64.tgz
Linux Intel EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-EI-linux-i386.tgz
Linux Intel II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-pc-linux-i386.tgz
Linux Itanium EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-ia64.tar.gz
Linux Itanium II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-ia64.tgz
Solaris SPARC
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12834-su9-us5.tar
Solaris x64/x86
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12832-a64-sol.tar
Ingres r3 Build Install Steps (August 1, 2008)
Important: Prior to installing the build, a full operating system
backup of the $II_SYSTEM/ingres directory on Unix/Linux and
%II_SYSTEM%\ingres directory on Windows must be taken with Ingres
completely shut down. Also, a backup of any other DATA locations
that you may have must be taken, again with Ingres shut down. In
case there is a problem with the update install, this allows
Ingres to be restored from the backup.
Unix:
Linux:
For these products:
CA ARCserve Backup for Unix r11.1
CA ARCserve Backup for Unix r11.5 GA/SP1/SP2
CA ARCserve Backup for Unix r11.5 SP3
CA ARCserve Backup for Linux r11.1
EEM 8.1
eTrust Audit/SCC 8.0 sp2
NSM 3.0 0305
NSM 3.1 0403
NSM r3.1 SP1 0703
Unicenter Service Catalog r2.2
Unicenter ServicePlus Service Desk 6.0
Apply the update below that is listed for your platform (note that
URLs may wrap):
AIX 32bit [2.6/xxxx (rs4.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12718.tar.Z
AIX 64bit [2.6/xxxx (r64.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12798.tar.Z
HP-UX with ARCserve 11.1 or 11.5/GA/SP1/SP2/SP3
https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&actionID=3
HP-UX Itanium [2.6/xxxx (i64.hpu/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12748.tar.Z
HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12742.tar.Z
HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12888.tar.Z
HP-UX RISC 64bit [2.6/xxxx (hp2.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12749.tar.Z
HP Tru64 UNIX [2.6/xxxx (axp.osf/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12676.tar.Z
Linux AMD64 [2.6/xxxx (a64.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12809.tar.Z
Linux Intel 32bit [2.6/xxxx (int.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12645.tar.Z
Linux Intel 32bit [2.6/xxxx (int.lnx/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12647.tar.Z
Linux Intel 32bit [2.6/xxxx (int.lnx/00)LFS]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12646.tar.Z
Linux Itanium [2.6/xxxx (i64.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12648.tar.Z
Linux S/390 [2.6/xxxx (ibm.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12877.tar.Z
Solaris SPARC 32bit [2.6/xxxx (su4.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12713.tar.Z
Solaris SPARC 32bit double [2.6/xxxx (su4.us5/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12879.tar.Z
Solaris SPARC 64bit [2.6/xxxx (su9.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12751.tar.Z
Ingres 2.6 Vulnerability Updates Install Steps (August 1, 2008)
Unix/Linux:
How to determine if you are affected:
For these products:
Admin r8.1 SP2
ARCserve for Linux r11.5 SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
EEM 8.2
EEM 8.2.1
Identity Manager r12
NSM r11
Unicenter Asset Management r11.1
Unicenter Asset Management r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk r11
Unicenter ServicePlus Service Desk r11.1
Unicenter ServicePlus Service Desk r11.2
Unicenter Software Delivery r11.1
Unicenter Software Delivery r11.2
Unicenter Workload Control Center r11
The Ingres release information is maintained in
%II_SYSTEM%\ingres\version.rel:
UNIX or Linux: cat version.rel
The release identifier will be as follows:
Operating System Release identifier
HP Sparc 32/64bit II 3.0.3 (hp2.us5/211)
HP Itanium II 3.0.3 (i64.hpu/211)
Intel Solaris 32/64bit II 3.0.3 (a64.sol/211)
AIX 32/64bit II 3.0.3 (r64.us5/211)
Solaris 32/64bit II 3.0.3 (su9.us5/211)
AMD Linux II 3.0.3 (a64.lnx/211)
Intel Linux II 3.0.3 (int.lnx/103)
Itanium Linux II 3.0.3 (i64.lnx/211)
Notes:
For these products:
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
ARCserve for Linux r11.5 GA/SP1
CleverPath Aion BPM r10.1
CleverPath Aion BPM r10.2
The maintenance updates are provided for the latest r3 builds
supported by CA which are 3.0.3/103 (Linux) and 3.03/211 (UNIX
platforms). If the build embedded is earlier than 3.0.3, it has
to be upgraded to 3.0.3 to fix the vulnerabilities.
The Ingres release information is maintained in
%II_SYSTEM%\ingres\version.rel:
UNIX or Linux: cat version.rel
The release identifier will be as follows:
Operating System Release identifier
HP Sparc 32/64bit II 3.0.3 (hp2.us5/211)
HP Itanium II 3.0.3 (i64.hpu/211)
Intel Solaris 32/64bit II 3.0.3 (a64.sol/211)
AIX 32/64bit II 3.0.3 (r64.us5/211)
Solaris 32/64bit II 3.0.3 (su9.us5/211)
AMD Linux II 3.0.3 (a64.lnx/211)
Intel Linux II 3.0.3 (int.lnx/103)
Itanium Linux II 3.0.3 (i64.lnx/211)
Important:
For Linux (AMD, Intel and Itanium) platforms, after applying the
build provided on this page, please download and apply the
maintenance update. For the other platforms, the builds are
patched to the latest maintenance update.
Note:
For these products:
CA ARCserve Backup for Unix r11.1
CA ARCserve Backup for Unix r11.5 GA/SP1/SP2
CA ARCserve Backup for Unix r11.5 SP3
CA ARCserve Backup for Linux r11.1
EEM 8.1
eTrust Audit/SCC 8.0 sp2
NSM 3.0 0305
NSM 3.1 0403
NSM r3.1 SP1 0703
Unicenter Service Catalog r2.2
Unicenter ServicePlus Service Desk 6.0
The Ingres release information is maintained in
%II_SYSTEM%\ingres\version.rel:
UNIX or Linux: cat version.rel
The release identifier will be as follows:
Operating System Release identifier
AIX 32bit II 2.6/xxxx (rs4.us5/00)
AIX 64bit II 2.6/xxxx (r64.us5/00)
HP-UX Itanium II 2.6/xxxx (i64.hpu/00)
HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00)
HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00)DBL
HP-UX RISC 64bit II 2.6/xxxx (hp2.us5/00)
HP Tru64 UNIX II 2.6/xxxx (axp.osf/00)
Linux AMD64 II 2.6/xxxx (a64.lnx/00)
Linux Intel 32bit II 2.6/xxxx (int.lnx/00)
Linux Intel 32bit II 2.6/xxxx (int.lnx/00)DBL
Linux Intel 32bit II 2.6/xxxx (int.lnx/00)LFS
Linux Itanium II 2.6/xxxx (i64.lnx/00)
Linux S/390 II 2.6/xxxx (ibm.lnx/00)
Solaris SPARC 32bit II 2.6/xxxx (su4.us5/00)
Solaris SPARC 32bit double II 2.6/xxxx (su4.us5/00)DBL
Solaris SPARC 64bit II 2.6/xxxx (su9.us5/00)
Note:
Workaround: None
References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA Products That Embed Ingres
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989
Solution Document Reference APARs:
RO01277 (ARCserve only)
CA Security Response Blog posting:
CA Products That Embed Ingres Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2008/08/06.aspx
Reported By:
iDefense Labs
Ingres Database for Linux verifydb Insecure File Permissions
Modification Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
Ingres Database for Linux libbecompat Stack Based Buffer Overflow
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732
Ingres Database for Linux ingvalidpw Untrusted Library Path
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733
Ingres
Security Vulnerability Announcement as of August 01, 2008
http://www.ingres.com/support/security-alert-080108.php
CVE References:
CVE-2008-3356 - Ingres verifydb file create permission override.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3356
CVE-2008-3357 - Ingres un-secure directory privileges with utility
ingvalidpw.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3357
CVE-2008-3389 - Ingres verifydb, iimerge, csreport buffer overflow.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3389
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to our product security response team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.