Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20190124-01: Security Notice for CA Automic Workload Automation

Issued: January 24, 2019

Last Updated: January 24, 2019

CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.

The vulnerability, CVE-2019-6504, has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.

Risk Rating

Medium

Platform(s)

All supported platforms

Affected Products

CA Automic Workload Automation 12.0

CA Automic Workload Automation 12.1

CA Automic Workload Automation 12.2

Unaffected Products

CA Automic Workload Automation 12.0 with Automic.Web.Interface 12.0.6 HF2

CA Automic Workload Automation 12.1 with Automic.Web.Interface 12.1.3 HF3

CA Automic Workload Automation 12.2 with Automic.Web.Interface 12.2.1 HF1

How to determine if the installation is affected

The version number is visible in the About section of AWI. Check the About window after login to AWI to determine the current installed version.

Solution

CA Technologies published the following solutions to address the vulnerabilities.

CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2

CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3

CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1

The fixes can be found at https://downloads.automic.com/

References

CVE-2019-6504 - CA Automic Workload Automation Persistent XSS vulnerability

Acknowledgement

CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab

Change History

Version 1.0: 2019-01-24 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

CA Technologies security notices