CA20190124-01: Security Notice for CA Automic Workload Automation
1858
28 July 2020
08 August 2016
OPEN
Issued: January 24, 2019
Last Updated: January 24, 2019
CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.
The vulnerability, CVE-2019-6504, has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks.
Risk Rating
Medium
Platform(s)
All supported platforms
Affected Products
CA Automic Workload Automation 12.0
CA Automic Workload Automation 12.1
CA Automic Workload Automation 12.2
Unaffected Products
CA Automic Workload Automation 12.0 with Automic.Web.Interface 12.0.6 HF2
CA Automic Workload Automation 12.1 with Automic.Web.Interface 12.1.3 HF3
CA Automic Workload Automation 12.2 with Automic.Web.Interface 12.2.1 HF1
How to determine if the installation is affected
The version number is visible in the About section of AWI. Check the About window after login to AWI to determine the current installed version.
Solution
CA Technologies published the following solutions to address the vulnerabilities.
CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2
CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3
CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1
The fixes can be found at https://downloads.automic.com/.
References
CVE-2019-6504 - CA Automic Workload Automation Persistent XSS vulnerability
Acknowledgement
CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab
Change History
Version 1.0: 2019-01-24 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.