CA Plugs Message-Queuing Buffer Overflows

The software vendor releases patches for "moderately critical" denial-of-service and system access vulnerabilities.

Security flaws in CAs Message Queuing software could put users at risk of denial-of-service and system access attacks, the company warned in an advisory.

The Islandia, N.Y.-based software vendor flagged the vulnerabilities in all versions of the CAM (CA Message Queuing) software prior to v1.07 Build 220_13 and v1.11 Build 29_13 on multiple platforms.

In an alert posted online, Computer Associates International Inc. warned that the flaw opens the CAM TCP port to potential denial-of-service attacks.

In addition, CA said boundary errors in the affected software can be exploited to cause buffer overflows by sending specially crafted packets to the service.

/zimages/4/28571.gifRead more here about security holes in CA products.

Security alerts aggregator Secunia Inc. rated the bugs as "moderately critical" and warned that an attacker could successfully exploit the boundary errors to launch arbitrary code.

A third vulnerability was also patched to block a possible attack vector in which a spoofed CAFT (a CA application) could be launched to allow the execution of arbitrary commands with elevated privileges.

/zimages/4/28571.gifComputer Associates acquires Qurb, an anti-spam vendor. Click here to read more.

CAM is a messaging subcomponent which provides a "store and forward" messaging framework for applications. A number of CA applications use CAM for messaging requirements. CAFT, supplied with CAM, is an application that utilizes CAM for file transfers. CAFT is driven by messages it receives from CAM-enabled applications.

Software patches for the vulnerabilities can be found in this advisory.

Affected products include several versions of CA Advantage Data Transport, CA BrightStor Portal, CA CleverPath, CA eTrust Admin and CA Unicenter.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.