Workload Automation

 View Only

CA - PROACTIVE NOTIFICATION - ATSYS - ADVISORY - AATSYS-100625 

Apr 03, 2018 03:34 PM

March 29, 2018

CA Workload Automation AE and CA Workload Control Center customers, please review the following security notice.

For the latest version of this security notice, see

CA20180329-01: Security Notice for CA Workload Automation AE and CA Workload Control Center

CA20180329-01: Security Notice for CA Workload Automation AE and CA Workload Control Center

Issued: March 29, 2018
Last Updated: March 29, 2018

CA Technologies Support is alerting customers to two potential risks with CA Workload Automation AE and CA Workload Control Center. Two vulnerabilities exist that can allow a remote attacker to conduct SQL injection attacks or execute code remotely.

The first vulnerability, CVE-2018-8953, in CA Workload Automation AE, has a medium risk rating and concerns insufficient data validation that can allow an authenticated remote attacker to conduct SQL injection attacks.

The second vulnerability, CVE-2018-8954, in CA Workload Control Center, has a high risk rating and concerns an Apache MyFaces configuration that can allow an authenticated remote attacker to conduct remote code execution attacks.

Risk Rating

CVE-2018-8953 – Medium
CVE-2018-8954 - High

Platform(s)

All supported platforms

Affected Products

CVE-2018-8953:
CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier
CVE-2018-8954:
CA Workload Control Center (CA WCC) r11.4 SP5 and earlier

Unaffected Products

CA Workload Automation AE r11.3.5 with appropriate fixes listed below
CA Workload Automation AE r11.3.6 SP7
CA Workload Control Center (CA WCC) r11.4 SP5 with appropriate fixes listed below
CA Workload Control Center (CA WCC) r11.4 SP6

How to determine if the installation is affected

Customers may use the CA Workload Automation AE / CA Workload Control Center interface to find the installed version and then use the table in the Affected Products section to determine if the installation is vulnerable.

Solution

CA Technologies published the following solutions to address the vulnerabilities.

CA Workload Automation AE r11.3.5:
Apply the appropriate patch for your platform:
Windows:  SO00700
HP:  SO00696
AIX:  SO00695
Sun:  SO00694
Linux:  SO00693
CA Workload Automation AE (AutoSys Edition) r11.3.5 Solutions & Patches

CA Workload Automation AE r11.3.6:
Apply SP7.
CA Workload Automation AE Release 11.3.6 SP7 General Availability Announcement

CA Workload Control Center (CA WCC) r11.4 SP5:
Apply patch RO99200
CA Workload Control Center Solutions & Patches

CA Workload Control Center (CA WCC) r11.4 SP6:
CA Workload Automation AE Release 11.3.6 SP7 General Availability Announcement

References

CVE-2018-8953 - CA Workload Automation AE SQL injection
CVE-2018-8954 - CA Workload Control Center MyFaces RCE

Acknowledgement

CVE-2018-8953 – Hamed Merati from Sense of Security Labs
CVE-2018-8954 – Hamed Merati and Kacper Nowak from Sense of Security Labs

Change History

Version 1.0: 2018-03-29 - Initial Release

CA will send a notification about this security notice to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in a CA Technologies product, please send a report to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices

Copyright (c) 2018 CA. All Rights Reserved. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

To unsubscribe from this service, please follow the link below:

https://support.ca.com/irj/portal/hyperSubscription

 

 

Please note that the document shown above is an approximation of the original document.

Statistics
0 Favorited
2 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
pdf file
Proactive_Notification_Advisory - ATSYS - ADVISORY - AATS....pdf   418 KB   1 version
Uploaded - May 29, 2019

Tags and Keywords

Related Entries and Links

No Related Resource entered.