CVE-2022-42889 and Autosys Workload Automation
Article ID: 252472
Updated On:
Products
Issue/Introduction
CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.
More information can be found here.
The vulnerability is caused by the use of Apache Commons Text 1.5 through 1.9.
Resolution
CA Workload Automation AE (Including WebUI/WCC)
CA Workload Automation AE does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
- 12.x releases:
- installer leaves a file in the following location:
- Linux Example:
/opt/CA/WorkloadAutomationAE/autosys/install/JARS/commons-text-1.9.jar - Windows Example:
C:\Program Files\CA\WorkloadAutomationAE\autosys\install\JARS\commons-text-1.8.jar
- Linux Example:
- Installer copies the file for its internal use but none of the AutoSys components use this file, the installer also does not make use of the StringSubstitutor.
This file can safely be removed manually without affecting product usage - 11.x releases:
Does not have this module
- installer leaves a file in the following location:
CA Workload Automation iXP
CA Workload Automation iXP does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
CA Embedded Entitlements Manager
CA Embedded Entitlements Manager does not use Apache Commons Text library and so is not vulnerable to CVE-2022-42889
Additional Information
Broadcom recommends to be on the latest maintenance to address the vulnerabilities documented in this article.
- For the most current Cumulative under the 12.1.0 release, apply CUM3.
- For the most current Cumulative under the 12.1.01 release, apply CUM2.
Feedback
