Headline
CVE-2022-22689: Support Content Notification - Support Portal - Broadcom support portal
CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.
CA20220203-01: Security Notice for CA Harvest Software Change Manager
CA20220203-01: Security Notice for CA Harvest Software Change Manager
Issued: February 3rd, 2022
CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions.
The vulnerability, CVE-2022-22689, occurs due to insufficient input validation. A privileged user can potentially execute arbitrary code or commands.
Risk Rating
CVE-2022-22689 - High
Platform(s)
Microsoft Windows, Linux, Linux s390x, Apple MacOS
Affected Products
CA Harvest Software Change Manager 13.0.3
CA Harvest Software Change Manager 13.0.4
CA Harvest Software Change Manager 14.0.0
CA Harvest Software Change Manager 14.0.1
Note: older, unsupported versions may be affected
How to determine if the installation is affected
For Harvest Workbench, check for “CA Harvest Software Change Manager Workbench” release number.
From Harvest workbench, Click on About > CA Harvest Software Change Manager Workbench
For 13.0.3 it would be 13.0.3.152
For 13.0.4 it would be 13.0.4.254
For 14.0.0 it would be 14.0.0.369
For 14.0.1 it would be 14.0.0.369
For Eclipse, check for “CA Harvest SCM Team Provider” feature version.
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a
For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or 13.0.4.254c
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a
For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a
Solution
CA Technologies published the following solutions to address the vulnerabilities:
Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or 14.0.1.
Fixes are available at:
13.0.3 APAR 99111332
13.0.4 APAR 99111333
14.0.0 APAR 99111334
14.0.1 APAR 99111356
How to determine if the fix is applied
For Harvest Workbench, check for “CA Harvest SCM Workbench” feature name.
From Harvest Workbench, Click on About > CA Harvest Software Change Manager Workbench > Installation Details > Features
Feature name would be “CA Harvest SCM Workbench-Efix-V0001”
For Eclipse, check for “CA Harvest SCM Team Provider” feature version.
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features
For 13.0.3 it would be 13.0.3.152b
For 13.0.4 it would be 13.0.4.254d
For 14.0.0 it would be 14.0.0.369b
For 14.0.1 it would be 14.0.2.16
References
CVE-2022-22689 - CA Harvest Software Change Manager CSV injection vulnerability
Acknowledgement
CVE-2022-22689 - Merten Nagel of usd AG
Change History
Version 1.0: 2022-02-03 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.
Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.