CA Technologies Support is alerting customers to a potential risk with CA Automic Workload Automation Automic Web Interface (AWI). A vulnerability exists that can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. The vulnerability has a medium risk rating and concerns insufficient output sanitization, which can allow an attacker to potentially conduct persistent cross site scripting (XSS) attacks. Versions 12.0, 12.1 and 12.2 are affected.
7a2927d39fb28bb1d5fe04e9edcc54d3-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CA20190124-01: Security Notice for CA Automic Workload Automation
Issued: January 24, 2019
Last Updated: January 24, 2019
CA Technologies Support is alerting customers to a potential risk with
CA Automic Workload Automation Automic Web Interface (AWI). A
vulnerability exists that can allow an attacker to potentially conduct
persistent cross site scripting (XSS) attacks.
The vulnerability, CVE-2019-6504, has a medium risk rating and
concerns insufficient output sanitization, which can allow an attacker
to potentially conduct persistent cross site scripting (XSS) attacks.
Risk Rating
Medium
Platform(s)
All supported platforms
Affected Products
CA Automic Workload Automation 12.0
CA Automic Workload Automation 12.1
CA Automic Workload Automation 12.2
Unaffected Products
CA Automic Workload Automation 12.0 with Automic.Web.Interface
12.0.6 HF2
CA Automic Workload Automation 12.1 with Automic.Web.Interface
12.1.3 HF3
CA Automic Workload Automation 12.2 with Automic.Web.Interface
12.2.1 HF1
How to determine if the installation is affected
The version number is visible in the About section of AWI. Check the
About window after login to AWI to determine the current installed
version.
Solution
CA Technologies published the following solutions to address the
vulnerabilities.
CA Automic Workload Automation 12.0:
Apply Automic.Web.Interface 12.0.6 HF2
CA Automic Workload Automation 12.1:
Apply Automic.Web.Interface 12.1.3 HF3
CA Automic Workload Automation 12.2:
Apply Automic.Web.Interface 12.2.1 HF1
The fixes can be found at https://downloads.automic.com/
References
CVE-2019-6504 - CA Automic Workload Automation Persistent XSS
vulnerability
Acknowledgement
CVE-2019-6504 - Marc Nimmerrichter from SEC Consult Vulnerability Lab
Change History
Version 1.0: 2019-01-24 - Initial Release
Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Regards,
Ken Williams
Vulnerability Response Director, Enterprise Software R&D
CA Technologies, A Broadcom Company | ca.com | broadcom.com
Copyright (c) 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All other trademarks, trade
names, service marks, and logos referenced herein belong to their
respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsFVAwUBXEpaSblJjor7ahBNAQh8eBAAjEuXp96eWVTv+bmSGBUi8qE/ql0m366n
ApEqok1M0uNiwAte+MpZCfe1QBXzEMlxI3rRzwoU/2AgN6td1Ot2onF3ZSu41xZZ
T5Vl8YUgD+H+1aG+lPb2PtqGAkKiiq9/0v7Usa3j2Q0hFcOuzFizUrFwL0zisQqQ
3Yqxe0Z524bxsYOoq3tM6u40hJepA/xrRVehLDXZBEUPoebZ3GjRSgAtcrm1umlQ
i4i35xXJ5bO4un0AdBITl9pbYFRsWsT/UmC3SWuqrRNEfPifig0+N0mQFr3HYss8
7P/t9unyX45K8lK8x88zZVLoEpN4hZSi5ClH3KP7ZaSmWlgQXLP7Llw/DAy8oOPc
xl8QPkhgNusrBgvUb2LtOoIzD89V+bz2tHYpJ0jpYjXRAjTvfmWCpq96+Kv9qj2/
CGjUHSxrLOvKhg+p3UHerAFYpIa0R4qajoN6D/w69fqaD+8Yzq82oK73M9dcXjPG
oiT5V+nC9eWufjpugrJL3ZfaXGz9guLzKrI1IToKNj9iv35umVkSNil3zE5N7nuz
UQtqxEBjD/P54KM8fULbtl+4MbWUB7eDq4jeCvD8Ipe3smJ32VfDzMhco4IYxxVS
yQt7+lMzNYi/yYazREJzdNbsRw8oCtYJUeYeZtGw1QeUK84TP3dobwqZHte+MonN
nJwOOIH2Kpg=
=90ur
-----END PGP SIGNATURE-----