Is Autosys affected by these vulnerabilities CVE-2023-44487 CVE-2023-42794 and CVE-2023-42795 ?
All Supported Releases
AutoSys and WebUI (WCC)
1) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-42794 - Impacted
Solution: Upgrade to Tomcat version 9.0.81 or higher in the 9.0.x series
2) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-42795 - Impacted
Solution: Upgrade to Tomcat version 9.0.81 or higher in the 9.0.x series
3) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-44487 - Not impacted. Only HTTP/2 protocol has impact. AutoSys Web Server and Web UI (WCC) use HTTP/1.1 protocol (<tomcat>/conf/server.xml a connector with protocol="HTTP/1.1").
Note: https://bugzilla.redhat.com/show_bug.cgi?id=2242803 states that this was fixed in 9.0.81 onwards. So, as part of fixing the first two items above, upgrade of tomcat eliminates this vulnerability also
WorkloadAutomation Agent: Not Impacted
Embedded Entitlements Manager: Not Impacted
Workload Automation iXP: Upgrade to Tomcat that your iXP was configured with, to version 9.0.81 or higher in the 9.0.x series or 8.5.93 or higher in the 8.5.x series
Steps on how to upgrade Tomcat for AutoSys: https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1/installing/Install-AutoSys/upgrade-tomcat-version-for-autosys.html
Upgrade Tomcat for iXP: Stop iXP, rename existing tomcat folder, unzip new tomcat under same folder structure, rename new tomcat folder to the original tomcat folder name that iXP was prevously using. Move the iXP war file and any needed config files from old tomcat folder to new one. Start new Tomcat