CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  
More information can be found here. 

The vulnerability is caused by the use of Apache Commons Text 1.5 through 1.9.  

Is Autosys Workload Automation affected by this?

1.  CA Workload Automation AE  (Including WebUI/WCC)

CA Workload Automation AE does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889

12.x releases:

- installer leaves a file in the following location:
  Linux Example:
     /opt/CA/WorkloadAutomationAE/autosys/install/JARS/commons-text-1.9.jar   

  Windows Example:
    C:\Program Files\CA\WorkloadAutomationAE\autosys\install\JARS\commons-text-1.8.jar

- Installer copies the file for its internal use but none of the AutoSys components use this file, the installer also does not make use of the StringSubstitutor. 

- This file can be removed manually without affecting product usage

11.x releases:

Does not have this module

2.  CA Workload Automation iXP

CA Workload Automation iXP does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889

3.  CA Embedded Entitlements Manager 

CA Embedded Entitlements Manager does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889

09/28/2023 - sensitive info removed