Fwd: CA20190124-01: Security Notice for CA Automic Workload Automation

[James Williams <ken.williams@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190124-01: Security Notice for CA Automic Workload Automation

Issued: January 24, 2019
Last Updated: January 24, 2019

CA Technologies Support is alerting customers to a potential risk with
CA Automic Workload Automation Automic Web Interface (AWI). A
vulnerability exists that can allow an attacker to potentially conduct
persistent cross site scripting (XSS) attacks.

The vulnerability, CVE-2019-6504, has a medium risk rating and
concerns insufficient output sanitization, which can allow an attacker
to potentially conduct persistent cross site scripting (XSS) attacks.


Risk Rating

Medium


Platform(s)

All supported platforms


Affected Products

CA Automic Workload Automation 12.0
CA Automic Workload Automation 12.1
CA Automic Workload Automation 12.2


Unaffected Products

CA Automic Workload Automation 12.0 with Automic.Web.Interface
12.0.6 HF2

CA Automic Workload Automation 12.1 with Automic.Web.Interface
12.1.3 HF3

CA Automic Workload Automation 12.2 with Automic.Web.Interface
12.2.1 HF1


How to determine if the installation is affected

The version number is visible in the About section of AWI. Check the
About window after login to AWI to determine the current installed
version.


Solution

CA Technologies published the following solutions to address the
vulnerabilities.

CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2

CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3

CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1

The fixes can be found at https://downloads.automic.com/


References

CVE-2019-6504 - CA Automic Workload Automation Persistent XSS
vulnerability


Acknowledgement

CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab


Change History

Version 1.0: 2019-01-24 - Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,
Ken Williams
Vulnerability Response Director, Enterprise Software R&D
CA Technologies, A Broadcom Company | ca.com | broadcom.com


Copyright (c) 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All other trademarks, trade
names, service marks, and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBXEpaSblJjor7ahBNAQh8eBAAjEuXp96eWVTv+bmSGBUi8qE/ql0m366n
ApEqok1M0uNiwAte+MpZCfe1QBXzEMlxI3rRzwoU/2AgN6td1Ot2onF3ZSu41xZZ
T5Vl8YUgD+H+1aG+lPb2PtqGAkKiiq9/0v7Usa3j2Q0hFcOuzFizUrFwL0zisQqQ
3Yqxe0Z524bxsYOoq3tM6u40hJepA/xrRVehLDXZBEUPoebZ3GjRSgAtcrm1umlQ
i4i35xXJ5bO4un0AdBITl9pbYFRsWsT/UmC3SWuqrRNEfPifig0+N0mQFr3HYss8
7P/t9unyX45K8lK8x88zZVLoEpN4hZSi5ClH3KP7ZaSmWlgQXLP7Llw/DAy8oOPc
xl8QPkhgNusrBgvUb2LtOoIzD89V+bz2tHYpJ0jpYjXRAjTvfmWCpq96+Kv9qj2/
CGjUHSxrLOvKhg+p3UHerAFYpIa0R4qajoN6D/w69fqaD+8Yzq82oK73M9dcXjPG
oiT5V+nC9eWufjpugrJL3ZfaXGz9guLzKrI1IToKNj9iv35umVkSNil3zE5N7nuz
UQtqxEBjD/P54KM8fULbtl+4MbWUB7eDq4jeCvD8Ipe3smJ32VfDzMhco4IYxxVS
yQt7+lMzNYi/yYazREJzdNbsRw8oCtYJUeYeZtGw1QeUK84TP3dobwqZHte+MonN
nJwOOIH2Kpg=
=90ur
-----END PGP SIGNATURE-----