Computer Associates Total Defense SQL injection and Information Leakage

Release date:
Updated on:

Affected Systems:
Computer Associates Total Defense 12 SE2
Computer Associates Total Defense 12 SE2
Computer Associates Total Defense 12 SE1
Unaffected system:
Computer Associates Total Defense 12 SE3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51915

Computer Associates Total Defense is a multi-layer protection system integrated with network security services such as anti-virus, anti-spyware, Gateway Security, and host intrusion protection systems.

Computer Associates Total Defense has the SQL injection and Information Leakage vulnerability in implementation, after successful exploitation, attackers can obtain sensitive information, control applications, access or modify data, and execute arbitrary commands using the 'exec () 'function with system-level permissions to completely control the affected systems.

<* Source: Andrea Micalizzi aka rgod

Link: http://www.zerodayinitiative.com/advisories/ZDI-12-022/
Http://www.zerodayinitiative.com/advisories/ZDI-12-023/
Http://www.zerodayinitiative.com/advisories/ZDI-12-024/
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Computer Associates
-------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.cai.com/