Automic Workload Automation

 View Only
Expand all | Collapse all

Security Notice for CA Automic Automation

  • 1.  Security Notice for CA Automic Automation

    Posted 18 days ago
    CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

    More info can be found here:
    Support Content Notification - Support Portal - Broadcom support portal


    /Keld.


  • 2.  RE: Security Notice for CA Automic Automation

    Posted 15 days ago
    Edited by Carsten Schmitz 15 days ago
    @Kaj Wierda I appreciate the heads-up here. But as a company, we are displeased​ with the way Broadcom (still) reports Automic security bulletins. Points I kindly ask to take into consideration:

    1. as an Administrator, it's my task to make specific recommendations on just how critical updating is. This announcement is rather light on details. The links are dead (there are no "CVE2022-pending1"-style things in the CVE database). It would be very much required to have some more in-depth information to advise decision makers on short notice whether to approve an emergency update or not.

    2. Related: Does this not even specify WHICH agent is affected? You are selling a multitude of Automic agents. Sorry, merely saying "CA Automic Automation Agent" does not cut it. Windows? Linux? Maybe even Java? We have multiple engines and potentially up to 900 agents. I'd rather you identify your products than me doing overtime to do emergency updates on some obscure RA agent potentially due to incomplete vendor information.

    Thanks, regards,
    Carsten

    ------------------------------



  • 3.  RE: Security Notice for CA Automic Automation

    Posted 15 days ago
    I agree 100%  This announcement should contained detailed information.
    That said I believe it is related to unix only agents based upon the link referenced.  "The original Automic Automation security advisory can be found here."

     



  • 4.  RE: Security Notice for CA Automic Automation

    Posted 14 days ago
    Thanks for the link, Timothy.

    I am just confused about the date of this notification (Id 18598): 06 August 2021 !?
    Did we all miss out on this alert?


    ------------------------------
    Regards, Nicole
    ------------------------------



  • 5.  RE: Security Notice for CA Automic Automation

    Posted 14 days ago
    what @Carsten Schmitz says.​


  • 6.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted 13 days ago
    Thanks for the feedback. Several updates were made to this follow up notification based on your feedback, including a more precise solution indicated which agents are effected (UNIX).

    ------------------------------
    Kaj Wierda
    Sr. Product Line Manager | Automation

    Broadcom Software
    ------------------------------



  • 7.  RE: Security Notice for CA Automic Automation

    Posted 8 days ago
    Edited by Carsten Schmitz 8 days ago
    All: Broadcom has published an UPDATE to the security advisory.

    I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

    https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

    12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

    For all vulnerabilities:

    • Upgrade UNIX Agents and Automation Engine to V21

    The current and recommended releases are 21.0.3 or 12.3.8.

     It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

    Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.




  • 8.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted 7 days ago
    Edited by Shannon Hebert 7 days ago
    Hi Carsten and All,

    Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

    Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

    As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
    The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

    • It is also possible in version 21.0 to retrieve the authentication package through a REST method.

    When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

    Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

    Please create a Support case if you have any questions or would like us to review your plans.

    Thanks,

    -Shannon

     

    Shannon Hebert

    Manager of Automation Support

    Broadcom Software 




  • 9.  RE: Security Notice for CA Automic Automation

    Posted 7 days ago
    Hi @Shannon Hebert

    I just want to ask this. Why is the final fix (not workaround or mitigation) for CVE-2022-33756 only available for v21 but not for versions with 12.3.x?





  • 10.  RE: Security Notice for CA Automic Automation

    Posted 7 days ago
    Hi,

    CVE-2022-33756 is a weakness in Automics authentication algorithm, which was replaced by TLS in version 21.

    So the fix would be to backport TLS support to 12.x, which was one of the, if not the, major change in V21 and can't be done easily or in a reasonable amount of time.

    Regards, Matthias


  • 11.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted 5 days ago
    Hi Olgun, Matthias, and All,

    Over the past several days, we've been discussing how we could enable this process to be more straightforward for 12.3 and a large number of agents. Matthias is correct that porting TLS to 12.3 is a significant architectural change we designed for in v21. By versioning standards, this is one of the several reasons we can identify v21 as a new major release.

    We're brainstorming other possibilities to update the encryption keys, but this is not a straightforward task with the safeguards in place in 12.3.

    Please continue your remediation of the vulnerabilities by following our current documented process. We'll let you know if we can identify a time-saving approach to update these keys while maintaining the stabilization of the 12.3 ecosystems.

    Thank you,

    -Shannon

     

    Shannon Hebert

    Manager of Automation Support

    Broadcom Software | Agile Operations Division




  • 12.  RE: Security Notice for CA Automic Automation

    Posted 4 days ago
    Hello Shannon

    We began the process of updating from version 12.2 to version 21 at the company. This will be a complex and long procedure that will take many months to complete, with the entire process ending up in October.
    My concern is, can I update the agents now to the version 12.3 or higher while I am still using the 12.2 system version to mitigate this vulnerability ?

    Thank you in advance.


  • 13.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted 4 days ago
    Hi @Gilberto Pacheco

    agents can connect to a higher AE version but not vice versa.

    Agent-version <= AE-version

    You must start upgrading your AE-system (and Analytics and AWI) before you can upgrade your existing Agents.

    br Michael


  • 14.  RE: Security Notice for CA Automic Automation

    Posted 4 days ago

    Hello Shannon

     

    We began the process of updating from version 12.2 to version 21 at the company. This will be a complex and long procedure that will take many months to complete, with the entire process ending up in October.

    My concern is, can I update the agents now to the version 12.3 or higher while I am still using the 12.2 system version to mitigate this vulnerability ?

     

    Thank you in advance.




  • 15.  RE: Security Notice for CA Automic Automation

    Posted 4 hours ago
    Edited by Carsten Schmitz 4 hours ago

    Hi Shannon.

    Thanks for the additional infos (I have only seen the updates to this thread yesterday, my bad).

    As for notifications: I visited the mail notification interface you linked. I have never visited this one before (I feel like there were a bunch of predecessors or parallel interfaces where I made similar selections in the past). THIS incarnation of an interface had checked "Critical Notification" and a bunch of other things, but "Security Notification" was unchecked. I made sure it's all checked now.

    As for the required security fix: I'll toy today with our dev installation to implement the procedure you folks recommend for 12.3.8, and determine whether we need to download and distribute a key file for our ~900 agents individually, or whether that can somehow be streamlined by us. Again I will also need to give a management recommendation soon whether to perform this expensive action at all, or accept a (largely unspecified) security risk.

    Let's just say all of this is not exactly a great situation for anyone involved.

    Not to beat a dead horse too much, but: On another layer, the entire situation is, let's say, resurfacing more questions. For many years (back to pre-CA days), our company and others have asked the regents of Automic (a middle-ware handling both extremely sensitive data and credentials) for it to be independently audited for security. CA has told us that the software is audited by a reputable third party, but refused to divulge who that is, and any of the findings/reports. It would appear that security researchers unaffiliated with Broadcom have now uncovered a number of flaws. It would appear from the available information that this would pose major questions on the thoroughness of these independent audits.

    About two years ago, I reported a security concern myself (one that is very high impact, albeit possibly also entirely or near-unavoidably ingrained in product design). I proposed a possible way to escalate this concern even further into a vulnerability (which, granted, I didn't test for because that required certain prep work, but would have appreciated an answer to). I deliberately reported this not to product management, but at that time to a security function published on the Broadcom website. It later turned out that this security function was merely inherited from Symantec. Yet I was told that Broadcom takes such reports seriously and will investigate, however, I never noted any further correspondence from Broadcom on the matter ever again.

    Maybe it is time to rethink what Broadcom/Automic should do to rebuild trust in the security assurances for the product?

    Thanks,

    Carsten



    Original Message:
    Sent: Jun 20, 2022 05:38 PM
    From: Shannon Hebert
    Subject: Security Notice for CA Automic Automation

    Hi Carsten and All,

    Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

    Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

    As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
    The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

    • It is also possible in version 21.0 to retrieve the authentication package through a REST method.

    When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

    Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

    Please create a Support case if you have any questions or would like us to review your plans.

    Thanks,

    -Shannon

     

    Shannon Hebert

    Manager of Automation Support

    Broadcom Software 


    Original Message:
    Sent: Jun 20, 2022 05:26 AM
    From: Carsten Schmitz
    Subject: Security Notice for CA Automic Automation

    All: Broadcom has published an UPDATE to the security advisory.

    I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

    https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

    12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

    For all vulnerabilities:

    • Upgrade UNIX Agents and Automation Engine to V21

    The current and recommended releases are 21.0.3 or 12.3.8.

     It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

    Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


    Original Message:
    Sent: Jun 10, 2022 03:04 AM
    From: Keld Mollnitz
    Subject: Security Notice for CA Automic Automation

    CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

    More info can be found here:
    Support Content Notification - Support Portal - Broadcom support portal


    /Keld.