search cancel

PenTest - AWI: Disclosure of software component version information

book

Article ID: 255287

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

We recently hired an outside IT security firm to conduct a penetration test of the Automation Engine. Below is one of their findings regarding the AWI:

It should not be possible to identify the used application component versions through, e.g.:

  • Error messages
  • Install files
  • Source code
  • Directory paths
  • etc.

For example, the penetration tester used the above information to discover that the The Vaadin framework used to create the application was version 7.7.17. He was then able to find known vulnerabilities in this version at https://vaadin.com/security.

Would you kindly evaluate this and let us know whether Broadcom would consider implementing this change?

Environment

Release : 12.3.6

Resolution

This will continue to work this way in current versions and will be addressed in a future version as an enhancement in functionality.