<<< Date Index >>>     <<< Thread Index >>>

CA Products That Embed Ingres Multiple Vulnerabilities



Title: CA Products That Embed Ingres Multiple Vulnerabilities


CA Advisory Date: 2008-08-01


Reported By: iDefense Labs


Impact: A remote attacker can execute arbitrary code, gain 
privileges, or cause a denial of service condition. 


Summary: CA products that embed Ingres contain multiple 
vulnerabilities that can allow a remote attacker to execute 
arbitrary code, gain privileges, or cause a denial of service 
condition. These vulnerabilities exist in the products and on the 
platforms listed below. These vulnerabilities do not impact any 
Windows-based Ingres installation. The first vulnerability, 
CVE-2008-3356, allows an unauthenticated attacker to potentially 
set the user and/or group ownership of a verifydb log file to be 
Ingres allowing read/write permissions to both. The second 
vulnerability, CVE-2008-3357, allows an unauthenticated attacker 
to exploit a pointer overwrite vulnerability to execute arbitrary 
code within the context of the database server process. The third 
vulnerability, CVE-2008-3389, allows an unauthenticated attacker 
to obtain ingres user privileges. However, when combined with the 
unsecured directory privileges vulnerability (CVE–2008-3357), root 
privileges can be obtained.


Mitigating Factors: These vulnerabilities do not impact any 
Windows-based Ingres installation.


Severity: CA has given these vulnerabilities a High risk rating.


Affected Products:
Admin r8.1 SP2
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3
CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
CleverPath Aion BPM r10.1, r10.2
EEM 8.1, 8.2, 8.2.1
eTrust Audit/SCC 8.0 sp2
Identity Manager r12
NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11
Unicenter Asset Management r11.1, r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r2.2, r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2
Unicenter Software Delivery r11.1, r11.2
Unicenter Workload Control Center r11


Affected Platforms:
1. Ingres verifydb file create permission override (CVE-2008-3356)
   This vulnerability impacts all platforms except Windows.
2. Ingres un-secure directory privileges with utility ingvalidpw 
   (CVE - 2008-3357)
   This vulnerability impacts only Linux and HP platforms.
3. Ingres verifydb, iimerge, csreport buffer overflow 
   (CVE-2008-3389)
   This vulnerability impacts only Linux and HP platforms.


Status and Recommendation:
The most prudent course of action for affected customers is to 
download and apply the corrective maintenance. However, updates 
are provided only for the following releases: 2.6 and r3

Important: Customers using products that embed an earlier version 
of Ingres r3 should upgrade Ingres to the release that is 
currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX 
platforms) before applying the maintenance updates. Please contact 
your product's Technical Support team for more information.

For these products:
Admin r8.1 SP2
CA ARCserve Backup for Linux r11.5 SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
EEM 8.2
EEM 8.2.1
Identity Manager r12
NSM r11
Unicenter Asset Management r11.1
Unicenter Asset Management r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk r11
Unicenter ServicePlus Service Desk r11.1
Unicenter ServicePlus Service Desk r11.2
Unicenter Software Delivery r11.1
Unicenter Software Delivery r11.2
Unicenter Workload Control Center r11

Apply the update below that is listed for your platform (note that 
URLs may wrap):

AIX [3.0.3 (r64.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12833-r64-us5.tar.z

HP-UX Itanium [3.0.3 (i64.hpu/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12831-i64-hpu.tar.z

HP-UX RISC [3.0.3 (hp2.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12830-hp2-us5.tar.z

Linux AMD [3.0.3 (a64.lnx/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12835-a64-lnx.tar.z

Linux Intel 32bit [3.0.3 (int.lnx/103)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.103.12836-int-lnx.tar.z

Linux Itanium [3.0.3 (i64.lnx/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12838-i64-lnx.tar.z

Solaris SPARC [3.0.3 (su9.us5/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12834-su9-us5.tar.z

Solaris x64/x86 [3.0.3 (a64.sol/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12832-a64-sol.tar.z

Ingres r3 Vulnerability Updates Install Steps (August 1, 2008)

Unix/Linux:
1. Log on to your system using the installation owner account and 
   make sure the environment is set up correctly:
      1. II_SYSTEM must be set to the Ingres system files
      2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility 
         directories.
2. Change directory to the root directory of the Ingres 
   installation or use a previously created directory.
      cd $II_SYSTEM/ingres
      or
      cd <patch_directory>
3. Copy the download maintenance update file in to the current 
   directory and uncompress
4. Read in the update file with the following commands:
      umask 022
      tar xf [update_file]
      This will create the directory:
      $II_SYSTEM/ingres/patchXXXXX
      or
      <patch_directory>/patchXXXXX
      Note: ‘XXXXX' in patchXXXXX refers to the update number
5. Stop all Ingres processes with the ‘ingstop' utility:
      ingstop
6. Change directory to the patch directory:
      cd patchXXXXX
7. Within the patch directory run the following command:
      ./utility/iiinstaller
      Please check the $II_SYSTEM/ingres/files/patch.log file to 
      make sure the patch was applied successfully. Also check the 
      $II_SYSTEM/ingres/version.rel to make sure the patch is 
      referenced.
      Note: The patch can also be installed silently using the ‘-m' 
      flag with iiinstaller:
      ./utility/iiinstaller -m
8. Once the patch install has been complete, re-link the iimerge 
   binary with the following command:
      iilink
9. Ingres can then be restarted with the ‘ingstart' utility:
      ingstart

For these products:
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
ARCserve for Linux r11.5 GA/SP1
CleverPath Aion BPM r10.1
CleverPath Aion BPM r10.2

Apply the build below that is listed for your platform (note that 
URLs may wrap):

AIX
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12833-r64-us5.tar

HP-UX Itanium
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12831-i64-hpu.tar

HP-UX RISC
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12830-hp2-us5.tar

Linux AMD EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-x86_64.tar.gz

Linux AMD II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-x86_64.tgz

Linux Intel EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-EI-linux-i386.tgz

Linux Intel II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-pc-linux-i386.tgz

Linux Itanium EI build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-ia64.tar.gz

Linux Itanium II build
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-ia64.tgz

Solaris SPARC
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12834-su9-us5.tar

Solaris x64/x86
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12832-a64-sol.tar

Ingres r3 Build Install Steps (August 1, 2008)

Important: Prior to installing the build, a full operating system 
backup of the $II_SYSTEM/ingres directory on Unix/Linux and 
%II_SYSTEM%\ingres directory on Windows must be taken with Ingres 
completely shut down. Also, a backup of any other DATA locations 
that you may have must be taken, again with Ingres shut down. In 
case there is a problem with the update install, this allows 
Ingres to be restored from the backup.

Unix:
1. Log in to the system as the installation owner and make sure 
   the environment is set up correctly:
      1. II_SYSTEM must be set to the Ingres home directory
      2. PATH must include $II_SYSTEM/ingres/bin and 
         $II_SYSTEM/ingres/utility directories
      3. Add $II_SYSTEM/ingres/lib to the shared library path
      4. Set TERM to ‘vt100' and TERM_INGRES to ‘vt100fx'
2. Copy the downloaded update file to the /tmp directory and 
   uncompress
3. Read in the update file with the following commands:
      umask 022
      tar xf [update_file]
      This creates a directory containing the distribution and 
      other files.
4. Stop all applications that may be connected to or using any of 
   the files in the Ingres instance.
5. Stop all Ingres processes with the ‘ingstop' utility:
      ingstop
6. Important: Take an operating system backup of the 
   $II_SYSTEM/ingres directory and other DATA locations that you 
   may have elsewhere. Also, copy the 
   $II_SYSTEM/ingres/files/config.dat and 
   $II_SYSTEM/ingres/files/symbol.tbl files to a safe location to 
   ensure that the configuration can be restored.
7. From the root directory of the Ingres installation 
   ($II_SYSTEM/ingres), run the following command:
      tar xf /tmp/<update_directory>/ingres.tar install
8. Run the following command:
      install/ingbuild
9. The initial install screen appears.
10. In the Distribution medium enter the full path to the 
    ‘ingres.tar' file (including the file) (See step 4).
11. Choose PackageInstall from the list of installation options 
    and then choose ‘Stand alone DBMS Server' from the list of 
    packages. Then choose ExpressInstall.
12. Choose Yes in the pop-up screen and press Enter key.
      The install utility verifies that each component was 
      transferred properly from the distribution medium. When this 
      is finished (without errors), another pop-up screen for 
      setting up the components comes up.
13. Select Yes and press Enter key to go to the Setup program.
14. Once the installation is complete, check the 
    $II_SYSTEM/ingres/files/install.log for any errors. Also, 
    check the $II_SYSTEM/ingres/version.rel file to verify the new 
    build is referenced; this should show 3.0.3 for the build.
15. If there are no errors, then restore the 
    $II_SYSTEM/ingres/files/config.dat and 
    $II_SYSTEM/ingres/files/symbol.tbl files from the copies made 
    in step 6 to replace the existing files.
16. Start Ingres using the ‘ingstart' utility:
      ingstart
17. Upgrade the databases in the installation to the new release 
    level:
      upgradedb -all

Linux:
1. Log on to the machine as ‘root'.
2. Copy the downloaded build update file and to a previously 
   chosen directory and uncompress.
3. Read in the update file with the following command:
      tar xf [update file]
      This creates a directory containing rpm packages for all of 
   the Ingres tools.
4. Shut down any non-Ingres application(s) that may be connected 
   to or using any of the files in the specified Ingres instance.
5. Stop all Ingres processes with the ‘ingstop' utility:
      ingstop
6. Important: Take an operating system backup of the 
   $II_SYSTEM/ingres directory and other DATA locations that you 
   may have elsewhere.
7. From the directory that was created in step 3, install the 
   update rpms with the following command:
      rpm –Uvh *.rpm
      If the following error is seen for either the 
      ‘ca-ingres-documentation-3.0.3-103', the 
      ‘ca-ingres-CATOSL-3.0.3-103' or the 
      ‘ca-cs-utils-11.0.04348-0000' (or all of them) packages,
      remove them from the directory containing the rpms and 
      re-run the above command:
      package <package-name> is already installed
8. If the installation finishes successfully, then log on as 
   ‘ingres' to the machine and start Ingres using the ‘ingstart' 
   utility:
      ingstart
9. Upgrade ‘mdb' database with the following command:
      upgradedb -all

For these products:
CA ARCserve Backup for Unix r11.1
CA ARCserve Backup for Unix r11.5 GA/SP1/SP2
CA ARCserve Backup for Unix r11.5 SP3
CA ARCserve Backup for Linux r11.1
EEM 8.1
eTrust Audit/SCC 8.0 sp2
NSM 3.0 0305
NSM 3.1 0403
NSM r3.1 SP1 0703
Unicenter Service Catalog r2.2
Unicenter ServicePlus Service Desk 6.0

Apply the update below that is listed for your platform (note that 
URLs may wrap):

AIX 32bit [2.6/xxxx (rs4.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12718.tar.Z

AIX 64bit [2.6/xxxx (r64.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12798.tar.Z

HP-UX with ARCserve 11.1 or 11.5/GA/SP1/SP2/SP3
https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&actionID=3

HP-UX Itanium [2.6/xxxx (i64.hpu/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12748.tar.Z

HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12742.tar.Z

HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12888.tar.Z

HP-UX RISC 64bit [2.6/xxxx (hp2.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12749.tar.Z

HP Tru64 UNIX [2.6/xxxx (axp.osf/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12676.tar.Z

Linux AMD64 [2.6/xxxx (a64.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12809.tar.Z

Linux Intel 32bit [2.6/xxxx (int.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12645.tar.Z

Linux Intel 32bit [2.6/xxxx (int.lnx/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12647.tar.Z

Linux Intel 32bit [2.6/xxxx (int.lnx/00)LFS]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12646.tar.Z

Linux Itanium [2.6/xxxx (i64.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12648.tar.Z

Linux S/390 [2.6/xxxx (ibm.lnx/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12877.tar.Z

Solaris SPARC 32bit [2.6/xxxx (su4.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12713.tar.Z

Solaris SPARC 32bit double [2.6/xxxx (su4.us5/00)DBL]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12879.tar.Z

Solaris SPARC 64bit [2.6/xxxx (su9.us5/00)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12751.tar.Z

Ingres 2.6 Vulnerability Updates Install Steps (August 1, 2008)

Unix/Linux:
1. Log on to your system using the installation owner account and 
   make sure the environment is set up correctly:
      1. II_SYSTEM must be set to the Ingres system files
      2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility 
         directories.
2. Change directory to the root directory of the Ingres 
   installation or use a previously created directory.
      cd $II_SYSTEM/ingres
      or
      cd <patch_directory>
3. Copy the download maintenance update file in to the current 
   directory and uncompress
4. Read in the update file with the following commands:
      umask 022
      tar xf [update_file]
      This will create the directory:
      $II_SYSTEM/ingres/patchXXXXX
      or
      <patch_directory>/patchXXXXX
      Note: ‘XXXXX' in patchXXXXX refers to the update number
5. Stop all Ingres processes with the ‘ingstop' utility:
      ingstop
6. Change directory to the patch directory:
      cd patchXXXXX
7. Within the patch directory run the following command:
      ./utility/iiinstaller
      Please check the $II_SYSTEM/ingres/files/patch.log file to 
      make sure the patch was applied successfully. Also check the 
      $II_SYSTEM/ingres/version.rel to make sure the patch is 
      referenced.
      Note: The patch can also be installed silently using the 
      ‘-m' flag with iiinstaller:
      ./utility/iiinstaller -m
8. Once the patch install has been complete, re-link the iimerge 
   binary with the following command:
      iilink
9. Ingres can then be restarted with the ‘ingstart' utility:
      ingstart


How to determine if you are affected:

For these products:
Admin r8.1 SP2
ARCserve for Linux r11.5 SP2/SP3
CA Directory r8.1
CA Job Management Option R11.0
CA Single Sign-On r8.1
EEM 8.2
EEM 8.2.1
Identity Manager r12
NSM r11
Unicenter Asset Management r11.1
Unicenter Asset Management r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk r11
Unicenter ServicePlus Service Desk r11.1
Unicenter ServicePlus Service Desk r11.2
Unicenter Software Delivery r11.1
Unicenter Software Delivery r11.2
Unicenter Workload Control Center r11

The Ingres release information is maintained in 
%II_SYSTEM%\ingres\version.rel:
    UNIX or Linux: cat version.rel

The release identifier will be as follows:
Operating System        Release identifier
HP Sparc 32/64bit       II 3.0.3 (hp2.us5/211)
HP Itanium              II 3.0.3 (i64.hpu/211)
Intel Solaris 32/64bit  II 3.0.3 (a64.sol/211)
AIX 32/64bit            II 3.0.3 (r64.us5/211)
Solaris 32/64bit        II 3.0.3 (su9.us5/211)
AMD Linux               II 3.0.3 (a64.lnx/211)
Intel Linux             II 3.0.3 (int.lnx/103)
Itanium Linux           II 3.0.3 (i64.lnx/211)

Notes:
1. You would need to install the Ingres build instead of the patch 
   if either of the following is true:
      1. If the Ingres release for your platform is not 3.0.3 in 
      the release identifier
      or
      2. The Ingres release is 3.0.3 but the build level is not 
      103 for Linux and 211 for all the Unix platforms.
      If either of the above is true then download and apply the 
      latest build for your operating system(s).
2. If the OS platform you are running Ingres on is not listed, 
   please contact Technical Support.

For these products:
Advantage Data Transformer r2.2
Allfusion Harvest Change Manager r7.1
ARCserve for Linux r11.5 GA/SP1
CleverPath Aion BPM r10.1
CleverPath Aion BPM r10.2

The maintenance updates are provided for the latest r3 builds 
supported by CA which are 3.0.3/103 (Linux) and 3.03/211 (UNIX 
platforms). If the build embedded is earlier than 3.0.3, it has 
to be upgraded to 3.0.3 to fix the vulnerabilities.

The Ingres release information is maintained in 
%II_SYSTEM%\ingres\version.rel:
    UNIX or Linux: cat version.rel

The release identifier will be as follows:
Operating System        Release identifier
HP Sparc 32/64bit       II 3.0.3 (hp2.us5/211)
HP Itanium              II 3.0.3 (i64.hpu/211)
Intel Solaris 32/64bit  II 3.0.3 (a64.sol/211)
AIX 32/64bit            II 3.0.3 (r64.us5/211)
Solaris 32/64bit        II 3.0.3 (su9.us5/211)
AMD Linux               II 3.0.3 (a64.lnx/211)
Intel Linux             II 3.0.3 (int.lnx/103)
Itanium Linux           II 3.0.3 (i64.lnx/211)

Important:
For Linux (AMD, Intel and Itanium) platforms, after applying the 
build provided on this page, please download and apply the 
maintenance update. For the other platforms, the builds are 
patched to the latest maintenance update.
Note:
1. If the release you are using is already 3.0.3 build 103 on 
   Linux and 3.0.3 build 211 on Unix, then download and install 
   the maintenance update.
2. If the OS platform you are running Ingres on is not listed, 
   please contact Technical Support.

For these products:
CA ARCserve Backup for Unix r11.1
CA ARCserve Backup for Unix r11.5 GA/SP1/SP2
CA ARCserve Backup for Unix r11.5 SP3
CA ARCserve Backup for Linux r11.1
EEM 8.1
eTrust Audit/SCC 8.0 sp2
NSM 3.0 0305
NSM 3.1 0403
NSM r3.1 SP1 0703
Unicenter Service Catalog r2.2
Unicenter ServicePlus Service Desk 6.0

The Ingres release information is maintained in 
%II_SYSTEM%\ingres\version.rel:
    UNIX or Linux: cat version.rel

The release identifier will be as follows:
Operating System            Release identifier
AIX 32bit                   II 2.6/xxxx (rs4.us5/00)
AIX 64bit                   II 2.6/xxxx (r64.us5/00)
HP-UX Itanium               II 2.6/xxxx (i64.hpu/00)
HP-UX RISC 32bit            II 2.6/xxxx (hpb.us5/00)
HP-UX RISC 32bit            II 2.6/xxxx (hpb.us5/00)DBL
HP-UX RISC 64bit            II 2.6/xxxx (hp2.us5/00)
HP Tru64 UNIX               II 2.6/xxxx (axp.osf/00)
Linux AMD64                 II 2.6/xxxx (a64.lnx/00)
Linux Intel 32bit           II 2.6/xxxx (int.lnx/00)
Linux Intel 32bit           II 2.6/xxxx (int.lnx/00)DBL
Linux Intel 32bit           II 2.6/xxxx (int.lnx/00)LFS
Linux Itanium               II 2.6/xxxx (i64.lnx/00)
Linux S/390                 II 2.6/xxxx (ibm.lnx/00)
Solaris SPARC 32bit         II 2.6/xxxx (su4.us5/00)
Solaris SPARC 32bit double  II 2.6/xxxx (su4.us5/00)DBL
Solaris SPARC 64bit         II 2.6/xxxx (su9.us5/00)

Note:
1. If the Ingres release embedded in your product is not 2.6, 
   please get the appropriate update here.
2. If the OS platform you are running Ingres on is not listed, 
   please contact Technical Support.
3. For HP-UX platform with CA ARCserve Backup 11.1 or 
   11.5/GA/SP1/SP2/SP3, download the published ARCserve fix, 
   RO01277:
   
https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&actionID=3
   and follow the enclosed instructions to install the security 
   patch.


Workaround: None


References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA Products That Embed Ingres
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989
Solution Document Reference APARs:
RO01277 (ARCserve only)
CA Security Response Blog posting:
CA Products That Embed Ingres Multiple Vulnerabilities
community.ca.com/blogs/casecurityresponseblog/archive/2008/08/06.aspx
Reported By: 
iDefense Labs
Ingres Database for Linux verifydb Insecure File Permissions 
   Modification Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731
Ingres Database for Linux libbecompat Stack Based Buffer Overflow 
   Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732
Ingres Database for Linux ingvalidpw Untrusted Library Path 
   Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733
Ingres
Security Vulnerability Announcement as of August 01, 2008
http://www.ingres.com/support/security-alert-080108.php
CVE References:
CVE-2008-3356 - Ingres verifydb file create permission override.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3356
CVE-2008-3357 - Ingres un-secure directory privileges with utility 
   ingvalidpw.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3357
CVE-2008-3389 - Ingres verifydb, iimerge, csreport buffer overflow.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3389
OSVDB References: Pending
http://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release


Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your 
findings to our product security response team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research


CA, 1 CA Plaza, Islandia, NY 11749
        
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.