Questions on Security Vulnerabilities with WCC version of Apache Tomcat
search cancel

Questions on Security Vulnerabilities with WCC version of Apache Tomcat

book

Article ID: 237465

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Our security team found several security vulnerabilities with the version of Apache Tomcat deployed with WCC version 12.0.
The outstanding CVEs are CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-13943, CVE-2020-17527, CVE-2020-9484, CVE-2021-24122, CVE-2021-25122 & CVE-2021-25329.

We show that WCC is currently using Apache Tomcat version 9.0.33 and the security finding is requiring version 9.0.43 or higher
If we upgrade our version of WCC from 12.0 to 12.0 SP1, will this resolve this issue?

Environment

12.X

Autosys WCC

Resolution

Broadcom does not test each minor version of the third-party software.
As such the Tech Docs documentation will not be updated for each new 3rd party release

For Tomcat we support updating to the latest version within the same release
IE from 9.0.33 to 9.0.XX

We do not support going to a new version such as 11.

The Tomcat version is usually updated to a newer / latest release with each FULL GA version.
In between GA release, client can follow the documentation to update the Tomcat independently.

Both WCC 12.0 and 12.0 SP1 versions are provided with the Apache Tomcat 9.0.33 version.

The recommended solution will be to upgrade Apache Tomcat from 9.0.33 to 9.0.43 or higher.

You can consult the following documentation page for detailed information on Tomcat upgrade both for AutoSys and for Web UI (WCC) :

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1-01/installing/Install-AutoSys/upgrade-tomcat-version-for-autosys.html

Upgrade Tomcat Version for AutoSys (and WCC)

NOTE:
On a stand-alone instance of WCC there will still be a webserver folder in the default location:
/opt/CA/WorkloadAutomationAE/webserver

Additional Information

EEM uses a proprietary web server written by Broadcom
It does not use an OEM web server.

EEM does not use Tomcat so is not affected by Tomcat Vulnerabilities.

Tomcat can be downloaded from the Official Apache Tomcat website.
https://tomcat.apache.org/