CA20220609-01: Security Notice for CA Automic Automation
CA20220609-01: Security Notice for CA Automic Automation
Issued: June 9th, 2022
Last Updated: October 18th, 2022
This is an update to the original Automic Automation security advisory from August 2021, that can be found here.
CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.
The first vulnerability, CVE-2022-33750, occurs due to an authentication error in the Automic agent. A remote attacker can potentially execute arbitrary commands.
The second vulnerability, CVE-2022-33751, occurs due to insecure memory handling in the Automic agent. A remote attacker can potentially access sensitive data.
The third vulnerability, CVE-2022-33752, occurs due to insufficient input validation in the Automic agent. A remote attacker can potentially execute arbitrary code.
The fourth vulnerability, CVE-2022-33753, occurs due to insecure file creation and handling in the Automic agent. A user can potentially elevate privileges.
The fifth vulnerability, CVE-2022-33754, occurs due to insufficient input validation in the Automic agent. A remote attacker can potentially execute arbitrary code.
The sixth vulnerability, CVE-2022-33755, occurs due to insecure input handling in the Automic Agent. A remote attacker can potentially enumerate users.
The seventh vulnerability, CVE-2022-33756, occurs due to an entropy bug in the Automic AutomationEngine. A remote attacker can potentially access sensitive data.
Risk Rating
CVE-2022-33750 - High
CVE-2022-33751 - Medium
CVE-2022-33752 - Medium
CVE-2022-33753 - High
CVE-2022-33754 - Medium
CVE-2022-33755 - Medium
CVE-2022-33756 - Medium
Platform(s)
All
Affected Products
CA Automic Automation 12.2
CA Automic Automation 12.3
CA Automic Continuous Delivery Automation 12.2
CA Automic Continuous Delivery Automation 12.3
Non-Affected Products
CA Automic Automation 12.2.9+HF.1 or later
CA Automic Automation 12.3.6+HF.1 or later
CA Automic Automation 21.0.0 or later
CA Automic Continuous Delivery Automation 12.2.9+HF.1 or later
CA Automic Continuous Delivery Automation 12.3.6+HF.1 or later
CA Automic Continuous Delivery Automation 21.0.0 or later
How to determine if the installation is affected
Check the product version and hotfix level.
Solution
CA Technologies published the following solutions to address the vulnerabilities.
For CVE-2022-33750, CVE-2022-33751, CVE-2022-33752, CVE-2022-33753, CVE-2022-33754, CVE-2022-33755:
- Upgrade the v12.3 Automic UNIX agents to at least 12.3.7 or later from downloads.automic.com.
For CVE-2022-33756:
- Update Automation Engine and Agents to 12.3.9 HF2. Also see this Knowledge Base Article: https://knowledge.broadcom.com/external/article?articleId=249945
Or
For all vulnerabilities:
- Upgrade UNIX Agents and Automation Engine to V21
The current and recommended releases are 21.0.4 or 12.3.9.
The original Automic Automation security advisory can be found here.
How to determine if the fix is applied
Check the product version and hotfix level.
References
CVE-2022-33750 - CA Automic Automation agent authentication bypass vulnerability
CVE-2022-33751 - CA Automic Automation agent memory disclosure vulnerability
CVE-2022-33752 - CA Automic Automation agent RCE vulnerability
CVE-2022-33753 - CA Automic Automation agent privilege elevation vulnerability
CVE-2022-33754 - CA Automic Automation agent buffer overflow RCE vulnerability
CVE-2022-33755 - CA Automic Automation agent user enumeration vulnerability
CVE-2022-33756 - CA Automic Automation AutomationEngine weak crypto vulnerability
Acknowledgement
CVE-2022-33750 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33751 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33752 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33753 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33754 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33755 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33756 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
Change History
Version 1.0: 2022-06-09 - Initial Release
Version 1.1: 2022-06-15 - Added CVE identifiers and additional Solution information.
Version 1.2: 2022-07-06 - Added CA Automic Continuous Delivery Automation to Affected and Non-Affected Products sections.
Version 1.3: 2022-08-15 - Added info about upcoming hotfix for CVE-2022-33756.
Version 1.4: 2022-09-30 - Updated info for hotfix for CVE-2022-33756.
Version 1.5: 2022-10-18 - Updated Solution for 12.3.9 HF2 release.
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.
Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.