Multiple (Java) Vulnerabilities found in /opt/CA/WorkloadCC/ for the WCC server.

book

Article ID: 197253

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent CA Workload Automation AE

Issue/Introduction

Security scans show Multiple (Java) Vulnerabilities found in /opt/CA/WorkloadCC/ for our WCC server.

Base on CVE-2019-11068 (https://www.tenable.com/plugins/nessus/130010) found on our WCC servers, current version of java is version "1.8.0_202" and Oracle JDK / JRE 13 Update 1, 11 Update 5, 8 Update 231 / 7 Update 241 or later is required to meet the requirements of the CVE. Our current version of WCC is:
/opt/CA/WorkloadCC/uejmver.sh
Product Name:  CA Workload Control Center
Copyright:     Copyright (c) 2019 CA Inc. All rights reserved.
Level:         11.4
Service Pack:  7
Patch Number:  0
Build Number:  20190227-b69
Volume Label:  CA-WCC11.4.7-02-27
Platform:      linux

The servers is a Red Hat Enterprise Linux Server using version 7.8 (Maipo) (3.10.0-1127.18.2.el7.x86_64).

Environment

Release : 11.4

Component : CA Workload Automation AE (AutoSys)

Resolution

Yes, WCC 11.4 sp7 uses/ships with JRE 1.8.0_202

If you wanted to upgrade your WCC's java to a higher 1.8 release you can.
But please note you will need to add the following entry:
security.provider.10=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
to the new JRE's java.security files.
Default locations:
%WCC_INSTALLATION%/jre/lib/security/java.security
%WCC_INSTALLATION%/jre_32/lib/security/java.security

This is assuming you would be adjusting both your 64 and 32 bit jre(s).
And if you already have a security.provider.10=
entry in your file, please adjust the new entry to be the next number in the sequence...
meaning security.provider.11 or security.provider.12 etc...

Or if you choose to move to version 12 of wcc it ships with
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-b09)

The above is specific for the JRE's mentioned in the paths listed above for WCC.
If you have other JRE's for other components / products please be specific
as to their product names and releases and which JRE versions they are using if you see more issues than just the one above.