CA Workload Automation AutoSys impact CVE-2023-38545 & CVE-2023-38546
search cancel

CA Workload Automation AutoSys impact CVE-2023-38545 & CVE-2023-38546

book

Article ID: 274859

calendar_today

Updated On:

Products

CA Workload Automation AE CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation iXP

Issue/Introduction

Is CA Workload Automation AE (Autosys) impacted by these vulnerabilities were found in the libcurl library,  CVE-2023-38545 & CVE-2023-38546 

Resolution

AutoSys Engine -  

CVE-2023-38545 – High 

Affected libcurl versions: 7.69.0 to and including 8.3.0

Not affected libcurl versions:  <7.69.0 and >= 8.4.0

1) AutoSys r12 SP1 (12.0.01) and AutoSys 12.1 (12.1.0) distributed curl 7.42.1. Hence this is not impacted.

2) AutoSys r12.1 SP1 (12.1.01) distributed curl 8.1.2. However, it is not exploitable for the reasons stated below: 

This vulnerability is exploitable only when the libcurl is made to reach out to SOCKS5 proxy to resolve the host. SOCKS5 proxy is not enabled by default, but can be by setting flags to the CURL methods in the libcurl. 

a) CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME
b) CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://.
c) Set any of the environment variables http_proxy, HTTPS_PROXY or ALL_PROXY for SOCKS5 proxy

AutoSys does not use the above options. So, Autosys is not impacted by this vulnerability.

Note: Autosys only uses the libcurl to connect to external URLs only defined within the configuration file to perform certain actions.

1) Automic for posting the events.

2) ServiceNow for creating the tickets.

 

CVE-2023-38546 – Low 

Affected libcurl versions: 7.9.1 to and including 8.3.0

Not affected libcurl versions: libcurl <7.9.1 and >= 8.4.0

Autosys does not leverage the curl_easy_duphandle() which is one of criteria for this vulnerability to be exploited. Hence this will not be exploitable in AutoSys r12 SP1 (12.0.01) and AutoSys 12.1 (12.1.0) where libcurl 7.42.1 is distributed and not exploitable in AutoSys r12.1 SP1 (12.1.01) which distributed libcurl 8.1.2

 

AutoSys WebUI (WCC) -  libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546

 

Workload Automation Agents -  libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546

 

Workload Automation iXP -  libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546