ESB-2018.1037 - [Win][UNIX/Linux] CA Workload Automation AE and CA Workload Control Center: Execute arbitrary code/commands - Existing account 2018-04-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1037
       CA20180329-01: Security Notice for CA Workload Automation AE
                      and CA Workload Control Center
                               5 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CA Workload Automation AE
                   CA Workload Control Center
Publisher:         CA Technologies
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8954 CVE-2018-8953 

Original Bulletin: 
   https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180329-01--security-notice-for-ca-workload-automation-ae.html

- --------------------------BEGIN INCLUDED TEXT--------------------

CA20180329-01: Security Notice for CA Workload Automation AE and CA Workload
Control Center

Issued: March 29, 2018
Last Updated: March 29, 2018

CA Technologies Support is alerting customers to two potential risks with CA
Workload Automation AE and CA Workload Control Center. Two vulnerabilities
exist that can allow a remote attacker to conduct SQL injection attacks or
execute code remotely.

The first vulnerability, CVE-2018-8953, in CA Workload Automation AE, has a
medium risk rating and concerns insufficient data validation that can allow an
authenticated remote attacker to conduct SQL injection attacks.

The second vulnerability, CVE-2018-8954, in CA Workload Control Center, has a
high risk rating and concerns an Apache MyFaces configuration that can allow
an authenticated remote attacker to conduct remote code execution attacks.

Risk Rating

+-----------------+-------------+
|CVE Identifier   |Risk Rating  |
+-----------------+-------------+
|CVE-2018-8953    |Medium       |
+-----------------+-------------+
|CVE-2018-8954    |High         |
+-----------------+-------------+

Platform(s)

All supported platforms

Affected Products

+-------------------------------------------+---------------------------------------------+
|CVE Identifier                             |Affected Product and Releases                |
+-------------------------------------------+---------------------------------------------+
|CVE-2018-8953                              |CA Workload Automation AE r11.3.5, r11.3.6   |
|                                           |SP6 and earlier                              |
+-------------------------------------------+---------------------------------------------+
|CVE-2018-8954                              |CA Workload Control Center (CA WCC) r11.4 SP5|
|                                           |and earlier                                  |
+-------------------------------------------+---------------------------------------------+

Unaffected Products

CA Workload Automation AE r11.3.5 with appropriate fixes listed below

CA Workload Automation AE r11.3.6 SP7

CA Workload Control Center (CA WCC) r11.4 SP5 with appropriate fixes listed
below

CA Workload Control Center (CA WCC) r11.4 SP6

How to determine if the installation is affected

Customers may use the CA Workload Automation AE / CA Workload Control Center
interface to find the installed version and then use the table in the Affected
Products section to determine if the installation is vulnerable.

Solution

CA Technologies published the following solutions to address the
vulnerabilities.

CA Workload Automation AE r11.3.5:
Apply the appropriate patch for your platform:
Windows:  SO00700
HP:  SO00696
AIX:  SO00695
Sun:  SO00694
Linux:  SO00693
CA Workload Automation AE (AutoSys Edition) r11.3.5 Solutions & Patches

CA Workload Automation AE r11.3.6:
Apply SP7.
CA Workload Automation AE Release 11.3.6 SP7 General Availability Announcement

CA Workload Control Center (CA WCC) r11.4 SP5:
Apply patch RO99200
CA Workload Control Center Solutions & Patches

CA Workload Control Center (CA WCC) r11.4 SP6:
CA Workload Automation AE Release 11.3.6 SP7 General Availability Announcement

References

CVE-2018-8953 - CA Workload Automation AE SQL injection
CVE-2018-8954 - CA Workload Control Center MyFaces RCE

Acknowledgement

CVE-2018-8953 - Hamed Merati from Sense of Security Labs
CVE-2018-8954 - Hamed Merati and Kacper Nowak from Sense of Security Labs

Change History

Version 1.0: 2018-03-29 - Initial Release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsW1fYx+lLeg9Ub1AQiZTA//Xe1IUgl4/IJ6pCi42JKmaaxEYlHANX5o
FhXtv0FMu8xFIKa4/3hRFNqcimA6nzJPp0dH6BKogqaZSrUHUo6NFVmxbpLo1vV/
e9xga6ymaHATXklboH9jVe5mceoPX1nkhaDVet7RqoK1gKenDSEa0TR1OO1iAmXy
EMKP6Z8eVg47cG96SQJpDSFFrbx6+BOeKP3migpHwi13q+TfnZ9GLMonwXua3xI+
/tMaJp3YKkNOqAB1cAChUzr5Dao5xag0ptk67XiYTd3xwwhXDCsAIykTsKwv/mfM
2t3CmHgWoA1oRtyUVKftUd7Pd0jtDuiWr0bgZRPHDKoifgPTXc2Lug9Zm+at/0uh
S0oHssFcTP9hNQJ7uAY1h4GYh4++e3jrHbI7vM4j9t29ByrMqbwmueKQjvyg6DNR
gR6vnewz4ElYd2N/fvw+SSTn7K3CcfQqo7AA71Znc9HCJNJ//S9PEjkVVa4671Bj
yHQw5Z05xp7SGsCY2vHej7iUswBlerwHTjG/ZhuQfHblg64bgPFqKdwbodGg1dpz
hPQ/arSH23hJqHzRHCAR16kvaV981vMyIJXvWlh/qwJmfMAuLida16bYt75wxjAH
Vfi27Rdmt0V5u/2xC5LfgPTtej9ctEgtyXxnnYsAznNWj0H8gfxADVshQWaafLJU
oZVg/YSHoiA=
=fRwc
-----END PGP SIGNATURE-----

« Back to bulletins