Is CA Workload Automation AE (Autosys) impacted by these vulnerabilities were found in the libcurl library, CVE-2023-38545 & CVE-2023-38546
AutoSys Engine -
CVE-2023-38545 – High
Affected libcurl versions: 7.69.0 to and including 8.3.0
Not affected libcurl versions: <7.69.0 and >= 8.4.0
1) AutoSys r12 SP1 (12.0.01) and AutoSys 12.1 (12.1.0) distributed curl 7.42.1. Hence this is not impacted.
2) AutoSys r12.1 SP1 (12.1.01) distributed curl 8.1.2. However, it is not exploitable for the reasons stated below:
This vulnerability is exploitable only when the libcurl is made to reach out to SOCKS5 proxy to resolve the host. SOCKS5 proxy is not enabled by default, but can be by setting flags to the CURL methods in the libcurl.
a) CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME
b) CURLOPT_PROXY or CURLOPT_PRE_PROXY set to use the scheme socks5h://.
c) Set any of the environment variables http_proxy, HTTPS_PROXY or ALL_PROXY for SOCKS5 proxy
AutoSys does not use the above options. So, Autosys is not impacted by this vulnerability.
Note: Autosys only uses the libcurl to connect to external URLs only defined within the configuration file to perform certain actions.
1) Automic for posting the events.
2) ServiceNow for creating the tickets.
CVE-2023-38546 – Low
Affected libcurl versions: 7.9.1 to and including 8.3.0
Not affected libcurl versions: libcurl <7.9.1 and >= 8.4.0
Autosys does not leverage the curl_easy_duphandle() which is one of criteria for this vulnerability to be exploited. Hence this will not be exploitable in AutoSys r12 SP1 (12.0.01) and AutoSys 12.1 (12.1.0) where libcurl 7.42.1 is distributed and not exploitable in AutoSys r12.1 SP1 (12.1.01) which distributed libcurl 8.1.2
AutoSys WebUI (WCC) - libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546
Workload Automation Agents - libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546
Workload Automation iXP - libcurl is not used, so not impacted on both CVE-2023-38545 & CVE-2023-38546