Automic Workload Automation

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.

Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

• It is also possible in version 21.0 to retrieve the authentication package through a REST method.

When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

•  Check out our pre-upgrade knowledge doc for planning guidance.

Please create a Support case if you have any questions or would like us to review your plans.

Thanks,

-Shannon

Shannon Hebert

Manager of Automation Support

Broadcom Software 

Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation

All: Broadcom has published an UPDATE to the security advisory.

I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.

Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

• It is also possible in version 21.0 to retrieve the authentication package through a REST method.

When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

•  Check out our pre-upgrade knowledge doc for planning guidance.

Please create a Support case if you have any questions or would like us to review your plans.

Thanks,

-Shannon

Shannon Hebert

Manager of Automation Support

Broadcom Software 

Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation

All: Broadcom has published an UPDATE to the security advisory.

I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.

Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

• It is also possible in version 21.0 to retrieve the authentication package through a REST method.

When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

•  Check out our pre-upgrade knowledge doc for planning guidance.

Please create a Support case if you have any questions or would like us to review your plans.

Thanks,

-Shannon

Shannon Hebert

Manager of Automation Support

Broadcom Software 

Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation

All: Broadcom has published an UPDATE to the security advisory.

I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.

Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

• It is also possible in version 21.0 to retrieve the authentication package through a REST method.

When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

•  Check out our pre-upgrade knowledge doc for planning guidance.

Please create a Support case if you have any questions or would like us to review your plans.

Thanks,

-Shannon

Shannon Hebert

Manager of Automation Support

Broadcom Software 

Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation

All: Broadcom has published an UPDATE to the security advisory.

I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.

Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html

Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

• It is also possible in version 21.0 to retrieve the authentication package through a REST method.

When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

•  Check out our pre-upgrade knowledge doc for planning guidance.

Please create a Support case if you have any questions or would like us to review your plans.

Thanks,

-Shannon

Shannon Hebert

Manager of Automation Support

Broadcom Software 

Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation

All: Broadcom has published an UPDATE to the security advisory.

I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629

12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(

For all vulnerabilities:

• Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.3 or 12.3.8.

 It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.


Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal

/Keld.