AutoSys Workload Automation

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Hi,

I don't have an answer but have a similar concern.

We've seen log4j throughout all of the different AutoSys components including the AutoSys Upgrade Assistant.

I second the request for information/action.

Thanks,
Scott
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Okay to remove log4j-1.2.16.jar on Autosys Client/Agent hosts.
NOT okay to remove on hosts with Autosys Java SDK.
Not OK to remove on AE Web services. 
Not OK to remove on WCC servers.
Not OK to remove on EEM servers, if you have any.
Original Message:
Sent: Jun 03, 2022 01:46 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Thanks much Chandra. We are removing log4j-1.2.16.jar from all our Client/Agent hosts. 

Here are the Autosys  services are running in our master instance autosys servers. What is the process here to deal with log4j (or) only way is to raise a case with CA ?

CA Services Status Report

Component Name Pid Status
------------------------------------ ------- --------------
WAAE Application Server (EQA) 18328 running
WAAE Scheduler (EQA) 18592 running
WAAE Agent (WA_AGENT) 17570 running
CA-wcc-services Server 6210 running
CA-diadna Server 16092 running
CA-CCI Server 16224 running
CA-CCI Remote Server 16278 running
CA-CCI Clean Up 16225 running
CA-CCI Legacy Proxy 16226 running
CA-WV Status Server 16962 running
CA-wcc-db Server 7673 running
CA-wcc Server 7713 running
Original Message:
Sent: Jun 03, 2022 03:34 AM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Okay to remove log4j-1.2.16.jar on Autosys Client/Agent hosts.
NOT okay to remove on hosts with Autosys Java SDK.
Not OK to remove on AE Web services.
Not OK to remove on WCC servers.
Not OK to remove on EEM servers, if you have any.
Original Message:
Sent: Jun 03, 2022 01:46 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Thanks much Chandra. We are removing the log4j-1.2.16.jar from all our Agent/Client hosts. But need your suggestion for the Master Autosys servers wherein we have Event Server present.

Here are the services running in the master Autosys servers, Is there any specific process to deal with log4j in the master servers or only way is to raise a case with CA support ? Please suggest.


CA Services Status Report

Component Name Pid Status
------------------------------------ ------- --------------
WAAE Application Server (EQA) 18328 running
WAAE Scheduler (EQA) 18592 running
WAAE Agent (WA_AGENT) 17570 running
CA-wcc-services Server 6210 running
CA-diadna Server 16092 running
CA-CCI Server 16224 running
CA-CCI Remote Server 16278 running
CA-CCI Clean Up 16225 running
CA-CCI Legacy Proxy 16226 running
CA-WV Status Server 16962 running
CA-wcc-db Server 7673 running
CA-wcc Server 7713 running
 
Original Message:
Sent: Jun 03, 2022 03:34 AM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Okay to remove log4j-1.2.16.jar on Autosys Client/Agent hosts.
NOT okay to remove on hosts with Autosys Java SDK.
Not OK to remove on AE Web services.
Not OK to remove on WCC servers.
Not OK to remove on EEM servers, if you have any.
Original Message:
Sent: Jun 03, 2022 01:46 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Thanks CHandra for the details. We are removing the jar file from all Client/Agent hosts. But need your suggestion to deal with Event Server hosts wherein below services are running.

Is there any specific process is there to deal with log4j in the master autosys(event server) hosts or only way is to raise a case with CA support ? Please suggest.

CA Services Status Report

Component Name Pid Status
------------------------------------ ------- --------------
WAAE Application Server (EQA) 18328 running
WAAE Scheduler (EQA) 18592 running
WAAE Agent (WA_AGENT) 17570 running
CA-wcc-services Server 6210 running
CA-diadna Server 16092 running
CA-CCI Server 16224 running
CA-CCI Remote Server 16278 running
CA-CCI Clean Up 16225 running
CA-CCI Legacy Proxy 16226 running
CA-WV Status Server 16962 running
CA-wcc-db Server 7673 running
CA-wcc Server 7713 running
Original Message:
Sent: Jun 03, 2022 03:34 AM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Okay to remove log4j-1.2.16.jar on Autosys Client/Agent hosts.
NOT okay to remove on hosts with Autosys Java SDK.
Not OK to remove on AE Web services.
Not OK to remove on WCC servers.
Not OK to remove on EEM servers, if you have any.
Original Message:
Sent: Jun 03, 2022 01:46 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat

Hi,

Recently published patches that include log4j updates:

Regards,
Mike
Original Message:
Sent: Jun 09, 2022 07:35 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks CHandra for the details. We are removing the jar file from all Client/Agent hosts. But need your suggestion to deal with Event Server hosts wherein below services are running.

Is there any specific process is there to deal with log4j in the master autosys(event server) hosts or only way is to raise a case with CA support ? Please suggest.

CA Services Status Report

Component Name Pid Status
------------------------------------ ------- --------------
WAAE Application Server (EQA) 18328 running
WAAE Scheduler (EQA) 18592 running
WAAE Agent (WA_AGENT) 17570 running
CA-wcc-services Server 6210 running
CA-diadna Server 16092 running
CA-CCI Server 16224 running
CA-CCI Remote Server 16278 running
CA-CCI Clean Up 16225 running
CA-CCI Legacy Proxy 16226 running
CA-WV Status Server 16962 running
CA-wcc-db Server 7673 running
CA-wcc Server 7713 running
Original Message:
Sent: Jun 03, 2022 03:34 AM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Okay to remove log4j-1.2.16.jar on Autosys Client/Agent hosts.
NOT okay to remove on hosts with Autosys Java SDK.
Not OK to remove on AE Web services.
Not OK to remove on WCC servers.
Not OK to remove on EEM servers, if you have any.
Original Message:
Sent: Jun 03, 2022 01:46 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Thanks Chandra for the details shared.
Would you please let us  know if we can delete the log4j jars manually in 11.3.6 SPx ? If yes which are the paths and file to change ?


Thanks,
Subrat
Original Message:
Sent: Jun 02, 2022 02:56 PM
From: Chandrasekaran Venkataraman
Subject: log4j-1.2.16.jar vulnerability in Autosys

Log4j fix was made available for r12SP1
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111357&os=MULTI-PLATFORM

As for 11.3.6 SPx, you'll need to remove the vulnerable classes in the log4j-1.2.16.jar file (and various other jar files under WCC, EEM, Agent, etc) by hand. If you open a case with CA Support, they may provide you with a basic shell script that does the work. We have had to use a home-grown python tool to do the same.
Original Message:
Sent: Jun 01, 2022 02:34 AM
From: Subrat Kumar Gochhait
Subject: log4j-1.2.16.jar vulnerability in Autosys

Hi,

We are using Workload Autosys AE version 11.3.6 and after checking the log4j library , we found the below path.

/opt/CA/WorkloadAutomationAE/autosys/lib/log4j-1.2.16.jar

So here, do we need to take any action for the log4j vulnerability ?

Thanks,
Subrat