CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.
More information can be found here.
The vulnerability is caused by the use of Apache Commons Text 1.5 through 1.9.
Is Autosys Workload Automation affected by this?
1. CA Workload Automation AE (Including WebUI/WCC)
CA Workload Automation AE does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
12.x releases:
- installer leaves a file in the following location:
Linux Example:
/opt/CA/WorkloadAutomationAE/autosys/install/JARS/commons-text-1.9.jar
Windows Example:
C:\Program Files\CA\WorkloadAutomationAE\autosys\install\JARS\commons-text-1.8.jar
- Installer copies the file for its internal use but none of the AutoSys components use this file, the installer also does not make use of the StringSubstitutor.
- This file can be removed manually without affecting product usage
11.x releases:
Does not have this module
2. CA Workload Automation iXP
CA Workload Automation iXP does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
3. CA Embedded Entitlements Manager
CA Embedded Entitlements Manager does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
09/28/2023 - sensitive info removed