Is Autosys affected by these vulnerabilities CVE-2023-44487 CVE-2023-42794  and CVE-2023-42795  ?

All Supported Releases

AutoSys and WebUI (WCC)

1) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-42794  - Impacted

Solution: Upgrade to Tomcat version 9.0.81 or higher in the 9.0.x series

2) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-42795  - Impacted 

Solution: Upgrade to Tomcat version 9.0.81 or higher in the 9.0.x series

3) Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-44487 - Not impacted.  Only HTTP/2  protocol has impact.  AutoSys Web Server and  Web UI (WCC)  use HTTP/1.1 protocol (<tomcat>/conf/server.xml  a connector with protocol="HTTP/1.1").   

Note: https://bugzilla.redhat.com/show_bug.cgi?id=2242803  states that this was fixed in 9.0.81 onwards.  So, as part of fixing the first two items above, upgrade of tomcat eliminates this vulnerability also

WorkloadAutomation Agent:  Not Impacted

Embedded Entitlements Manager:  Not Impacted

Workload Automation iXP:  Upgrade to Tomcat that your iXP was configured with, to version 9.0.81 or higher in the 9.0.x series  or 8.5.93 or higher in the 8.5.x series

Steps on how to upgrade Tomcat for AutoSys: https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1/installing/Install-AutoSys/upgrade-tomcat-version-for-autosys.html

Upgrade Tomcat for iXP:  Stop iXP,  rename existing tomcat folder,  unzip new tomcat under same folder structure, rename new tomcat folder to the original tomcat folder name that iXP was prevously using. Move the iXP war file and any needed config files from old tomcat folder to new one.  Start new Tomcat

( https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/ca-workload-automation-ixp/11-4-00/installing/upgrade-from-11-3-x-to-11-4-x-.html)