Please see CA20220609-01: Security Notice for CA Automic Automation and CVE-2022-33756 for information on vulnerabilities found in the Automation Engine:
CVE-2022-33756, occurs due to an entropy bug in the Automic AutomationEngine. A remote attacker can potentially access sensitive data.
This article will discuss the steps to mitigate this in 12.3
Automation Engine and Agents: 12.3
Entropy bug in authentication modes NO and LOCAL
Manual method (12.3.9 HF1 and earlier):
In 12.3.9 HF1 and earlier versions, the manual method is needed. The main steps are outlined in the documentation here. They consist of setting up LOCAL_REMOTE (steps 1 through 4), Downloading an Authentication Package (steps 5 through 8), and moving the package and updating the agent ini (steps 9 through 12).
Non-Manual method (12.3.9 HF2):
Note: If you are using authentication method LOCAL_REMOTE and would like to continue to do so, no update is necessary. The following applies to systems using authentication mode LOCAL or NO (default) in UC_AS_SETTINGS. It is not recommended to use authentication mode NO for authentication and security reasons.
If you update agents to 12.3.9 HF2 within a 21.0.x version environment, they will only be able to connect to an Automation Engine version and service pack of 21.0.5 or later (Available)
With the release of 12.3.9 HF2, this vulnerability has been removed from the product.
The steps that will need to be taken:
[OPTIONAL] - once all agents are upgraded to a version with strong entropy keys, if you would like to restrict the system to only allow higher entropy-keyed agents to connect:
NOTE: if the GSS_COMPATIBILITY setting is updated to NO, only agents on 12.3.9 HF2 that have had their transfer key renewed will be able to connect to the system. Any agents that are version 12.3.9 HF1 or below, OR are updated to 12.3.9 HF2 but have not had their transfer key renewed, will be unable to connect to the system.
Q) Can agents on 12.3.9 HF1 or lower continue to connect to a system where the automation engine is on 12.3.9 HF2?
A) Yes, as long as GSS_COMPATIBILITY is still set to YES in UC_AS_SETTINGS
Q) Does the renewal of the transfer key require the agent to be stopped/restart?
Q) Can AUTHENTICATION in UC_AS_SETTINGS continue to be blank or set to NO after updating everything to 12.3.9 HF2?
Q) Can the agent transfer keys be renewed on 12.3.9 HF2 while GSS_COMPATIBILITY is set to NO?
Q) Can agents updated to 12.3.9 HF2 whose keys have been renewed connect to a system with GSS_COMPATIBILITY set to YES?
Q) Can agents updated to 12.3.9 HF2 connect to 21.0 systems?
A) Not at this time. When 21.0.5 is released - planned for February of 2023 - they will then be able to connect
Q) Are only system Agents concerned by this entropy issue?
A) This is a GSS problem. GSS is a security layer used for the authentication of Agents and also for encrypting the traffic. It is implemented in the CPs and all components which connect to it. These changes do not only apply to OS agents but also Java based Agents(RA, SAP and so forth..).