Issued: January 24, 2019
Last Updated: January 24, 2019
CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.
The vulnerability, CVE-2019-6504, has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.
All supported platforms
CA Automic Workload Automation 12.0
CA Automic Workload Automation 12.1
CA Automic Workload Automation 12.2
CA Automic Workload Automation 12.0 with Automic.Web.Interface 12.0.6 HF2
CA Automic Workload Automation 12.1 with Automic.Web.Interface 12.1.3 HF3
CA Automic Workload Automation 12.2 with Automic.Web.Interface 12.2.1 HF1
How to determine if the installation is affected
The version number is visible in the About section of AWI. Check the About window after login to AWI to determine the current installed version.
CA Technologies published the following solutions to address the vulnerabilities.
CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2
CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3
CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1
The fixes can be found at https://downloads.automic.com/.
CVE-2019-6504 - CA Automic Workload Automation Persistent XSS vulnerability
CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab
Version 1.0: 2019-01-24 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.