Critical vulnerability with WCC
search cancel

Critical vulnerability with WCC


Article ID: 8539


Updated On:


CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent


Autosys application allows injecting Deferred expressions from several input parameters. This is a critical vulnerability.



WCC Version: 11.4 SP5


1.In your WCC environment, if the end-users are not using “Application Editor” tab to create jobs then we can do following 

a.To update EEM ‘Access policies’ for users to not show ‘Application Editor’  Login to EEM, navigate to ‘Manage Access Policies’, under ‘Policies’|/’Search Policies’ section, choose ‘ApplicationAccess’ policy and uncheck the ApplicationEditor Action for usergroups 

b.To comment following 2 configuration in “/opt/CA/<WorkloadCC>/tomcat/webapps/app-editor/WEB-INF/web.xml” file related to ILOG configuration 


<description>Used to validate values of URL parameters used by iLog to prevent using forbidden values to get access to filesystem.</description> 


























As an additional information, in the next release we are moving away from IBM ILOG component and this problem would definitely not exist. 



Additional Information

Permanent fix will be in 11.3.6 SP7