--0000000000006d3d3c05d7228a13 Content-Type: text/plain; charset="UTF-8" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20220203-01: Security Notice for CA Harvest Software Change Manager Issued: February 3rd, 2022 CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions. The vulnerability, CVE-2022-22689, occurs due to insufficient input validation. A privileged user can potentially execute arbitrary code or commands. Risk Rating CVE-2022-22689 - High Platform(s) Microsoft Windows, Linux, Linux s390x, Apple MacOS Affected Products CA Harvest Software Change Manager 13.0.3 CA Harvest Software Change Manager 13.0.4 CA Harvest Software Change Manager 14.0.0 CA Harvest Software Change Manager 14.0.1 Note: older, unsupported versions may be affected How to determine if the installation is affected For Harvest Workbench, check for "CA Harvest Software Change Manager Workbench" release number. - From Harvest workbench, Click on About > CA Harvest Software Change Manager Workbench For 13.0.3 it would be 13.0.3.152 For 13.0.4 it would be 13.0.4.254 For 14.0.0 it would be 14.0.0.369 For 14.0.1 it would be 14.0.0.369 For Eclipse, check for "CA Harvest SCM Team Provider" feature version. - From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or 13.0.4.254c For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a Solution CA Technologies published the following solutions to address the vulnerabilities: Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or 14.0.1. Fixes are available at https://support.broadcom.com/ 13.0.3 APAR 99111332 13.0.4 APAR 99111333 14.0.0 APAR 99111334 14.0.1 APAR 99111356 How to determine if the fix is applied For Harvest Workbench, check for "CA Harvest SCM Workbench" feature name. - From Harvest Workbench, Click on About > CA Harvest Software Change Manager Workbench > Installation Details > Features Feature name would be "CA Harvest SCM Workbench-Efix-V0001" For Eclipse, check for "CA Harvest SCM Team Provider" feature version. - From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features For 13.0.3 it would be 13.0.3.152b For 13.0.4 it would be 13.0.4.254d For 14.0.0 it would be 14.0.0.369b For 14.0.1 it would be 14.0.2.16 References CVE-2022-22689 - CA Harvest Software Change Manager CSV injection vulnerability Acknowledgement CVE-2022-22689 - Merten Nagel of usd AG Change History Version 1.0: 2022-02-03 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications on the support site. Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team at ca.psirt broadcom.com Security Notices, PGP key, disclosure policy, and related guidance can be found at: https://techdocs.broadcom.com/ca-psirt Regards, Ken Williams Vulnerability and Incident Response, Broadcom and CA PSIRT https://techdocs.broadcom.com/ca-psirt https://www.broadcom.com/support/resources/product-security-center ken.williamsbroadcom.com | ca.psirtbroadcom.com | psirtbroadcom.com | Broadcom | broadcom.com Copyright (c) 2022 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBYfwyskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74 NfFlXQY5b+Azl8h1z0mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb HDgfqhpSLwlGgfhDq93H185+1JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr UK6h03PZWriexDqhNPszSG8+XHVxDBsMVxvIoV7REM83PV9QbBC2Y2506s2NcOsr zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGCvXNZXvF6v/gmbKwUoj1fLVxr+ B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+mybvr8D1Betjxjqp8fQuN n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i1b+qlfEMp6v WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV+DE4 quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbs PQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf om/NSIkMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky 9tdZUcfmjEE= =+rbw -----END PGP SIGNATURE----- -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. --0000000000006d3d3c05d7228a13 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA51= 2

CA20220203-01: Security Notice for CA Harvest Software Change Mana= ger

Issued: February 3rd, 2022

CA Technologies, A Broadcom Co= mpany, is alerting customers to a
vulnerability in CA Harvest Software = Change Manager. A vulnerability
exists that can allow a privileged user= to perform CSV injection
attacks and potentially execute arbitrary cod= e or commands. Note that
this vulnerability is specific to the Harvest = Workbench and Eclipse
Plugin interfaces. CA published solutions to addr= ess this
vulnerability and recommends that all affected customers imple= ment
these solutions.

The vulnerability, CVE-2022-22689, occurs = due to insufficient input
validation.=C2=A0 A privileged user can poten= tially execute arbitrary code
or commands.


Risk Rating
CVE-2022-22689 - High


Platform(s)

Microsoft Windows, Li= nux, Linux s390x, Apple MacOS


Affected Products

CA Harves= t Software Change Manager 13.0.3
CA Harvest Software Change Manager 13.0= .4
CA Harvest Software Change Manager 14.0.0
CA Harvest Software Chan= ge Manager 14.0.1
Note: older, unsupported versions may be affected
<= br>
How to determine if the installation is affected

For Harvest = Workbench, check for "CA Harvest Software Change Manager
Workbench&= quot; release number.

- From Harvest workbench, Click on About > = CA Harvest Software
Change Manager Workbench
For 13.0.3 it would be 1= 3.0.3.152
For 13.0.4 it would be 13.0.4.254
For 14.0.0 it would be 14= .0.0.369
For 14.0.1 it would be 14.0.0.369

For Eclipse, check for= "CA Harvest SCM Team Provider" feature
version.

- Fro= m Eclipse, Click on About > About Eclipse IDE >
Installation Deta= ils > Features
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a
Fo= r 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or
13.0.4.= 254c
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a
For 14.0.1 it w= ould be 14.0.0.369 or 14.0.0.369a =C2=A0


Solution

CA Tech= nologies published the following solutions to address the
vulnerabiliti= es:

Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, o= r
14.0.1.

Fixes are available at https://support.broadcom.com/
13.0.3 APAR 99111332
13.= 0.4 APAR 99111333
14.0.0 APAR 99111334
14.0.1 APAR 99111356

How to determine if the fix is applied

For Harvest Workbench, chec= k for "CA Harvest SCM Workbench" feature
name.

- From = Harvest Workbench, Click on About > CA Harvest Software
Change Manage= r Workbench > Installation Details > Features

Feature name wou= ld be "CA Harvest SCM Workbench-Efix-V0001"

For Eclipse, c= heck for "CA Harvest SCM Team Provider" feature version.

-= From Eclipse, Click on About > About Eclipse IDE >
Installation = Details > Features
For 13.0.3 it would be 13.0.3.152b
For 13.0.4 i= t would be 13.0.4.254d
For 14.0.0 it would be 14.0.0.369b
For 14.0.1= it would be 14.0.2.16


References

CVE-2022-22689 - CA Har= vest Software Change Manager CSV injection
vulnerability


Ack= nowledgement

CVE-2022-22689 - Merten Nagel of usd AG


Chan= ge History

Version 1.0: 2022-02-03 - Initial Release


CA c= ustomers may receive product alerts and advisories by subscribing
to Pr= oactive Notifications on the support site.

Customers who require add= itional information about this notice may
contact CA Technologies Suppo= rt at https://support.broadcom.co= m/

To report a suspected vulnerability in a CA Technologies prod= uct,
please send a summary to the CA Technologies Product Vulnerability=
Response Team at ca.psirt <AT> b= roadcom.com

Security Notices, PGP key, disclosure policy, and re= lated guidance can
be found at: https://techdocs.broadcom.com/ca-psirt


Regards,<= br>Ken Williams
Vulnerability and Incident Response, Broadcom and CA PSI= RT
https://techdocs.b= roadcom.com/ca-psirt
https://www.broadcom.com/support/resources/= product-security-center
ken.williams<AT>broadcom.com | ca.psirt<AT>broadcom.com |
psirt<AT>b= roadcom.com | Broadcom | broadcom.com

Copyright (c) 2022 Broadcom. All Rights Reserved. The term "= Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadco= m, the pulse
logo, Connecting everything, CA Technologies and the CA te= chnologies
logo are among the trademarks of Broadcom. All trademarks, t= rade names,
service marks and logos referenced herein belong to their r= espective
companies.

-----BEGIN PGP SIGNATURE-----
Version: E= ncryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBYfw= yskhOfcBZzIOXAQpX8g/8CWQQgr1CeH2unkbYV6IPFC3XMI7B3U74
NfFlXQY5b+Azl8h1z0= mUAVpxRVpBJUEnqb4B9u5H1Fz8EObzU0liNEpacxyKXPYb
HDgfqhpSLwlGgfhDq93H185+1= JICpC2GUPTKXJHWmm/jwKQTD1mBb/q/8W0e/KLr
UK6h03PZWriexDqhNPszSG8+XHVxDBsM= VxvIoV7REM83PV9QbBC2Y2506s2NcOsr
zSQ7pxZiMfPZV3/px29IYGE1N15tvHTHIvqpJGC= vXNZXvF6v/gmbKwUoj1fLVxr+
B0ULTV4sE0I+Sfz8OTOGsVTMHogL46BIsp/Ftlu2ZL+myb= vr8D1Betjxjqp8fQuN
n4WcUkXymMNzBcy4iPG3o+47jvXUu6YbSz6lRsjjlagMXhWG2678i= 1b+qlfEMp6v
WzeCEh5ab1jA7/AzIqDbMs+ZUe8+tZGThlCzTpkPJhJiSTxZ3jcZCqrYV+oV= +DE4
quEQwNzko2n4jdwmhQ755VZVAtwxVEeFYp61A1I+evrZNJ5CIoOaJdjM2EvPmMbsPQiRF3hz99HSC3kFNREo1t9KXdj3mX7asGY5SiHP5nwV+GysYPyZblUAgmxFG7Jf
om/NSI= kMqyFEtZu01qGfmm+oFmal48xahmnXMayNSDnnn4TVXxPnGoyWBHVocWky
9tdZUcfmjEE= =3D
=3D+rbw
-----END PGP SIGNATURE-----

This ele= ctronic communication and the information and any files transmitted with it= , or attached to it, are confidential and are intended solely for the use o= f the individual or entity to whom it is addressed and may contain informat= ion that is confidential, legally privileged, protected by privacy laws, or= otherwise restricted from disclosure to anyone else. If you are not the in= tended recipient or the person responsible for delivering the e-mail to the= intended recipient, you are hereby notified that any use, copying, distrib= uting, dissemination, forwarding, printing, or copying of this e-mail is st= rictly prohibited. If you received this e-mail in error, please return the = e-mail to the sender, delete it from your computer, and destroy any printed= copy of it. --0000000000006d3d3c05d7228a13--