Security scanners may flag the uninstaller.jar file located in the AutoSys installation directory due to embedded Apache Log4j libraries (e.g., version 2.23.1) that are susceptible to vulnerabilities such as CVE-2026-34480, CVE-2026-34477, and CVE-2026-34478.

AutoSys 12.x , 24.x

The uninstaller.jar file is an execution artifact used exclusively during the active uninstallation of the product. It does not run as a persistent background service or listener. Because Broadcom does not typically provide standalone patches for the uninstaller artifact between major releases, manual mitigation is recommended to satisfy security compliance requirements.

Recommended Mitigation: Backup and Remove

The most effective way to remediate the vulnerability flag without breaking product functionality is to archive the file. This removes the file from the scanner's active path while preserving it for future use.

For Linux/Unix Environments:

Review this command before running it.

       1. Navigate to the uninstaller directory
                cd /opt/CA/WorkloadAutomationAE/uninstaller/

       2. Create a compressed backup of the jar file
                tar -czvf uninstaller_backup.tar.gz uninstaller.jar

       3. Remove the original jar file to satisfy security scans
               rm -f uninstaller.jar

For Windows Environments:

1. 1. Navigate to the uninstaller folder in your installation path.
   2. Right-click uninstaller.jar and select Send to > Compressed (zipped) folder.
   3. Delete the original uninstaller.jar file.

Restoring for Uninstallation

If you ever need to uninstall the AutoSys instance:

1. Extract the uninstaller.jar from the .tar.gz or .zip backup back into the original directory.
2. Run the uninstaller as per standard documentation.

Verification

1. Rerun the security scan to confirm that the path /opt/CA/WorkloadAutomationAE/uninstaller/uninstaller.jar is no longer detected.
2. Verify that no active AutoSys services are impacted (as this file is not used for runtime operations).