Impact of OpenSSL Vulnerability CVE-2025-15467 on AutoSys Workload Automation Schedluar, Application Server, WCC and Agents
search cancel

Impact of OpenSSL Vulnerability CVE-2025-15467 on AutoSys Workload Automation Schedluar, Application Server, WCC and Agents

book

Article ID: 428396

calendar_today

Updated On:

Products

Autosys Workload Automation Workload Automation Agent

Issue/Introduction

Customers may inquire if AutoSys Workload Automation is impacted by the critical vulnerability CVE-2025-15467 found in OpenSSL versions 3.0 through 3.6.
This vulnerability involves a stack buffer overflow when parsing "CMS Auth EnvelopedData" (S/MIME with AEAD ciphers).
Maliciously crafted CMS data with an oversized IV can trigger a stack-based out-of-bounds write.​​​​​‌​‌​

SYMPTOMS:

  • Security scanners flag OpenSSL versions 3.0.x, 3.3.x, 3.4.x, 3.5.0-3.5.5, and 3.6.0-3.6.1

  • Concerns regarding denial-of-service or arbitrary code execution

CONTEXT:
This inquiry relates to the OpenSSL vulnerability tracked as CVE-2025-15467 disclosed in January 2026.

Environment

  • AutoSys Workload Automation 12.X , 24,x

  • AutoSys System Agent 12.X , 24,x

  • Workload Control Center (WCC) 12.X, 24.X

  • OpenSSL Versions 3.0.x through 3.6.x

 

Resolution

AutoSys / Agents

ANALYSIS: AutoSys Workload Automation is NOT vulnerable to CVE-2025-15467.

TECHNICAL DETAILS: The vulnerability requires the application to parse untrusted CMS/PKCS#7 content containing "Auth EnvelopedData" to trigger the bug.

  1. NO AFFECTED CODE PATHS: AutoSys does not utilize the "AuthEnvelopedData" method. There are no code paths within AutoSys that parse or process CMS AuthEnvelopedData or any CMS/PKCS#7/S/MIME structures.

  2. LIMITED OPENSSL USAGE: OpenSSL usage in AutoSys is limited to:

    • EVP (AES-128-CTR, PBKDF2)

    • RAND

    • ERR

    These paths do not interact with the OpenSSL CMS implementation affected by this CVE.

CONCLUSION: The current implementation is not vulnerable. There is no plan for an immediate fix specifically for CVE-2025-15467.

NEXT STEPS: The AutoSys engineering team will include the latest available OpenSSL version in future cumulative releases or service packs as part of standard maintenance.

Workload Control Center (WCC)

Engineering (L2) has confirmed that Workload Control Center (WCC) does not use OpenSSL in the product․ Therefore, WCC does not use OpenSSL to parse CMS or PKCS#7 content with AEAD ciphers․

STATUS:

  • Impact: None

  • Remedial Action: None required

VERIFY SUCCESS:
1․ Review the vulnerability assessment report․

Additional Information

ROOT CAUSE:
CVE-2025-15467 is a stack buffer overflow in OpenSSL caused when parsing maliciously crafted CMS data.
WCC does not have any dependency on OpenSSL directly as a native SSL/Crypto component․

VERSION NOTES:

  • Affected OpenSSL Versions: 3.0.x, 3.3.x, 3.4.x, 3.5.0-3.5.5, 3.6.0-3.6.1

  • Non-Affected Versions: OpenSSL 1.1.1 and 1.0.2

Powered by Wolken Software