CA20220609-01: Security Notice for CA Automic Automation

CA Automic One Automation

5 more products

20629

18 October 2022

10 June 2022

OPEN

HIGH

CA20220609-01: Security Notice for CA Automic Automation

Issued: June 9th, 2022
Last Updated: October 18th, 2022

This is an update to the original Automic Automation security advisory from August 2021, that can be found here.

CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

The first vulnerability, CVE-2022-33750, occurs due to an authentication error in the Automic agent.  A remote attacker can potentially execute arbitrary commands.

The second vulnerability, CVE-2022-33751, occurs due to insecure memory handling in the Automic agent.  A remote attacker can potentially access sensitive data.

The third vulnerability, CVE-2022-33752, occurs due to insufficient input validation in the Automic agent.  A remote attacker can potentially execute arbitrary code.

The fourth vulnerability, CVE-2022-33753, occurs due to insecure file creation and handling in the Automic agent.  A user can potentially elevate privileges.

The fifth vulnerability, CVE-2022-33754, occurs due to insufficient input validation in the Automic agent.  A remote attacker can potentially execute arbitrary code.

The sixth vulnerability, CVE-2022-33755, occurs due to insecure input handling in the Automic Agent.  A remote attacker can potentially enumerate users.

The seventh vulnerability, CVE-2022-33756, occurs due to an entropy bug in the Automic AutomationEngine.  A remote attacker can potentially access sensitive data.

Risk Rating

CVE-2022-33750 - High
CVE-2022-33751 - Medium
CVE-2022-33752 - Medium
CVE-2022-33753 - High
CVE-2022-33754 - Medium
CVE-2022-33755 - Medium
CVE-2022-33756 - Medium

Platform(s)

All

Affected Products

CA Automic Automation 12.2
CA Automic Automation 12.3
CA Automic Continuous Delivery Automation 12.2
CA Automic Continuous Delivery Automation 12.3

Non-Affected Products

CA Automic Automation 12.2.9+HF.1 or later
CA Automic Automation 12.3.6+HF.1 or later
CA Automic Automation 21.0.0 or later
CA Automic Continuous Delivery Automation 12.2.9+HF.1 or later
CA Automic Continuous Delivery Automation 12.3.6+HF.1 or later
CA Automic Continuous Delivery Automation 21.0.0 or later

How to determine if the installation is affected

Check the product version and hotfix level. 

Solution

CA Technologies published the following solutions to address the vulnerabilities.

For CVE-2022-33750, CVE-2022-33751, CVE-2022-33752, CVE-2022-33753, CVE-2022-33754, CVE-2022-33755:

For CVE-2022-33756:

Or

For all vulnerabilities:

  • Upgrade UNIX Agents and Automation Engine to V21

The current and recommended releases are 21.0.4 or 12.3.9.

The original Automic Automation security advisory can be found here.

How to determine if the fix is applied

Check the product version and hotfix level.

References

CVE-2022-33750 - CA Automic Automation agent authentication bypass vulnerability
CVE-2022-33751 - CA Automic Automation agent memory disclosure vulnerability
CVE-2022-33752 - CA Automic Automation agent RCE vulnerability
CVE-2022-33753 - CA Automic Automation agent privilege elevation vulnerability
CVE-2022-33754 - CA Automic Automation agent buffer overflow RCE vulnerability
CVE-2022-33755 - CA Automic Automation agent user enumeration vulnerability
CVE-2022-33756 - CA Automic Automation AutomationEngine weak crypto vulnerability

Acknowledgement

CVE-2022-33750 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33751 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33752 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33753 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33754 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33755 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH
CVE-2022-33756 - Fabian Ullrich & Dennis Mantz, ERNW Enno Rey Netzwerke GmbH

Change History

Version 1.0: 2022-06-09 - Initial Release
Version 1.1: 2022-06-15 - Added CVE identifiers and additional Solution information.
Version 1.2: 2022-07-06 - Added CA Automic Continuous Delivery Automation to Affected and Non-Affected Products sections.
Version 1.3: 2022-08-15 - Added info about upcoming hotfix for CVE-2022-33756.
Version 1.4: 2022-09-30 - Updated info for hotfix for CVE-2022-33756.
Version 1.5: 2022-10-18 - Updated Solution for 12.3.9 HF2 release.

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.