PWP crashes on CallAPI login with long or UTF-8 passwords in Automation Engine 24.x.
search cancel

PWP crashes on CallAPI login with long or UTF-8 passwords in Automation Engine 24.x.

book

Article ID: 437510

calendar_today

Updated On:

Products

Automic SaaS CA Automic Workload Automation - Automation Engine

Issue/Introduction

The Automic Automation Engine system becomes unavailable due to the Primary Worker Process (PWP) crashing. This issue is specifically triggered during CallAPI login attempts.

Review the WP logs for the following error messages prior to the crash:

  • Input length not multiple of 8 bytes during de-obfuscation.
  • Error converting passwords to/from UTF-8.

Additionally, a UC4Dump file may be generated (e.g., UC4Dump_AUTOMIC#WP002_...txt).

Environment

  • Product: Automic Automation Engine
  • Versions: 24.0.0 and higher (until the fix version)
  • Component: CallAPI using TLS Gateway

Cause

A defect in the C++ code (present since version 24.0.0) causes a buffer overflow when the PWP processes a CallAPI login message.

When a password is long (close to the 32-character limit) or contains non-US-ASCII characters, its obfuscated and UTF-8 converted representation can exceed the fixed 64-byte buffer used for hash comparison. If the input length is not a multiple of 8 bytes or exceeds the buffer, the process crashes.

Resolution

Workaround

To prevent the PWP from crashing, ensure that passwords used for CallAPI logins meet the following criteria:

  1. Length: Use passwords significantly shorter than 32 characters (e.g., 20 characters or fewer).
  2. Character Set: Use only standard US-ASCII characters; avoid special or UTF-8 characters that increase the byte length of the string.
  3. Validation: Optionally, disable password checking via UC_USER_LOGON for the affected CallAPI users if security policies allow.

Permanent Fix

This issue is tracked under defect DE183465. A correction has been made to the CP server and PWP logic to properly handle password lengths and UTF-8 conversion.

Fix Versions:

  • Automic Automation.Engine 26.0.0 - Available
  • Automic Automation Engine 24.4.4 HF1 - Available

Public Title:
Automic Automation Engine becomes unresponsive due to CallAPI login requests

Public Description:
A problem has been fixed where the Automation Engine becomes unresponsive if a CallAPI login uses a long obfuscated password. The maximum length of a password using  the UCYBCRYP tool is 20 characters. Longer passwords will not work with Call APIs.

Additional Information

Article title: How to register to Broadcom Software Product updates and Critical Alerts

https://knowledge.broadcom.com/external/article?articleId=133819

Powered by Wolken Software