Automic Workload Automation

 View Only
Expand all | Collapse all

Security Notice for CA Automic Automation

  • 1.  Security Notice for CA Automic Automation

    Posted Jun 10, 2022 03:05 AM
    CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

    More info can be found here:
    Support Content Notification - Support Portal - Broadcom support portal


  • 2.  RE: Security Notice for CA Automic Automation

    Posted Jun 13, 2022 10:28 AM
    Edited by Carsten Schmitz Jun 13, 2022 10:29 AM
    @Kaj Wierda I appreciate the heads-up here. But as a company, we are displeased​ with the way Broadcom (still) reports Automic security bulletins. Points I kindly ask to take into consideration:

    1. as an Administrator, it's my task to make specific recommendations on just how critical updating is. This announcement is rather light on details. The links are dead (there are no "CVE2022-pending1"-style things in the CVE database). It would be very much required to have some more in-depth information to advise decision makers on short notice whether to approve an emergency update or not.

    2. Related: Does this not even specify WHICH agent is affected? You are selling a multitude of Automic agents. Sorry, merely saying "CA Automic Automation Agent" does not cut it. Windows? Linux? Maybe even Java? We have multiple engines and potentially up to 900 agents. I'd rather you identify your products than me doing overtime to do emergency updates on some obscure RA agent potentially due to incomplete vendor information.

    Thanks, regards,


  • 3.  RE: Security Notice for CA Automic Automation

    Posted Jun 13, 2022 11:14 AM
    I agree 100%  This announcement should contained detailed information. 
    That said I believe it is related to unix only agents based upon the link referenced.  "The original Automic Automation security advisory can be found here."


  • 4.  RE: Security Notice for CA Automic Automation

    Posted Jun 14, 2022 02:54 AM
    Thanks for the link, Timothy.

    I am just confused about the date of this notification (Id 18598): 06 August 2021 !?
    Did we all miss out on this alert?

    Regards, Nicole

  • 5.  RE: Security Notice for CA Automic Automation

    Posted Jun 14, 2022 03:24 AM
    what @Carsten Schmitz says.​

  • 6.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted Jun 14, 2022 11:48 AM
    Thanks for the feedback. Several updates were made to this follow up notification based on your feedback, including a more precise solution indicated which agents are effected (UNIX).

    Kaj Wierda
    Sr. Product Line Manager | Automation

    Broadcom Software

  • 7.  RE: Security Notice for CA Automic Automation

    Posted Jun 20, 2022 05:27 AM
    Edited by Carsten Schmitz Jun 20, 2022 05:28 AM
    All: Broadcom has published an UPDATE to the security advisory.

    I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:

    12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :( 

    For all vulnerabilities:

    • Upgrade UNIX Agents and Automation Engine to V21

    The current and recommended releases are 21.0.3 or 12.3.8.

     It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).

    Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.

  • 8.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted Jun 20, 2022 05:38 PM
    Edited by Shannon Hebert Jun 20, 2022 05:47 PM
    Hi Carsten and All,

    Our notifications are sent from and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here:

    Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.

    As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
    The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation. 

    • It is also possible in version 21.0 to retrieve the authentication package through a REST method.

    When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.

    Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.

    Please create a Support case if you have any questions or would like us to review your plans.




    Shannon Hebert

    Manager of Automation Support

    Broadcom Software 

  • 9.  RE: Security Notice for CA Automic Automation

    Posted Jun 21, 2022 09:57 AM
    Hi @Shannon Hebert

    I just want to ask this. Why is the final fix (not workaround or mitigation) for CVE-2022-33756 only available for v21 but not for versions with 12.3.x? 

  • 10.  RE: Security Notice for CA Automic Automation

    Posted Jun 21, 2022 10:52 AM

    CVE-2022-33756 is a weakness in Automics authentication algorithm, which was replaced by TLS in version 21.

    So the fix would be to backport TLS support to 12.x, which was one of the, if not the, major change in V21 and can't be done easily or in a reasonable amount of time.

    Regards, Matthias

  • 11.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted Jun 23, 2022 10:28 AM
    Hi Olgun, Matthias, and All,

    Over the past several days, we've been discussing how we could enable this process to be more straightforward for 12.3 and a large number of agents. Matthias is correct that porting TLS to 12.3 is a significant architectural change we designed for in v21. By versioning standards, this is one of the several reasons we can identify v21 as a new major release.

    We're brainstorming other possibilities to update the encryption keys, but this is not a straightforward task with the safeguards in place in 12.3.

    Please continue your remediation of the vulnerabilities by following our current documented process. We'll let you know if we can identify a time-saving approach to update these keys while maintaining the stabilization of the 12.3 ecosystems.

    Thank you,



    Shannon Hebert

    Manager of Automation Support

    Broadcom Software | Agile Operations Division

  • 12.  RE: Security Notice for CA Automic Automation

    Posted Jun 23, 2022 01:07 PM
    Hello Shannon

    We began the process of updating from version 12.2 to version 21 at the company. This will be a complex and long procedure that will take many months to complete, with the entire process ending up in October.
    My concern is, can I update the agents now to the version 12.3 or higher while I am still using the 12.2 system version to mitigate this vulnerability ?

    Thank you in advance.

  • 13.  RE: Security Notice for CA Automic Automation

    Broadcom Employee
    Posted Jun 23, 2022 02:06 PM
    Hi @Gilberto Pacheco

    agents can connect to a higher AE version but not vice versa.

    Agent-version <= AE-version

    You must start upgrading your AE-system (and Analytics and AWI) before you can upgrade your existing Agents.

    br Michael

  • 14.  RE: Security Notice for CA Automic Automation