Embedded Entitlement Manager (EEM) Curl Vulnerability (CVE-2023-38545 & CVE-2023-38546)
search cancel

Embedded Entitlement Manager (EEM) Curl Vulnerability (CVE-2023-38545 & CVE-2023-38546)

book

Article ID: 274857

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Is CA Embedded Entitlements Manager (EEM) impacted by these vulnerabilities were found in the libcurl librar, CVE-2023-38545 & CVE-2023-38546?

 

NOTE: Not affected versions of libcurl are: <7.69.0 and >=8.4.0

Environment

Versions 12.6.3.0, 12.6.4.0, 12.6.5.0, 12.6.6.0

Resolution

CVE-2023-38545 - Based on the initial review on the usage of the libcurl, EEM is not using SOCKS5 proxy for connecting to remote hosts. While the version used is vulnerable, they are not exploitable since SOCKS5 proxy is not enabled.

CVE-2023-38546 - EEM is not impacted by CVE-2023-38546. EEM's use of the libcurl API does not meet the specific set of conditions that would allow an attacker to exploit this vulnerability.