Critical vulnerability with WCC

book

Article ID: 8539

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent

Issue/Introduction

Autosys application allows injecting Deferred expressions from several input parameters. This is a critical vulnerability.

 

Environment

WCC Version: 11.4 SP5

Resolution

1.In your WCC environment, if the end-users are not using “Application Editor” tab to create jobs then we can do following 

a.To update EEM ‘Access policies’ for users to not show ‘Application Editor’  Login to EEM, navigate to ‘Manage Access Policies’, under ‘Policies’|/’Search Policies’ section, choose ‘ApplicationAccess’ policy and uncheck the ApplicationEditor Action for usergroups 

b.To comment following 2 configuration in “/opt/CA/<WorkloadCC>/tomcat/webapps/app-editor/WEB-INF/web.xml” file related to ILOG configuration 

<filter> 

<description>Used to validate values of URL parameters used by iLog to prevent using forbidden values to get access to filesystem.</description> 

<filter-name>ILogResourceFilter</filter-name> 

<filter-class>com.ca.wcc.filter.ILogResourceFilter</filter-class> 

</filter> 

 

<filter-mapping> 

<filter-name>ILogResourceFilter</filter-name> 

<url-pattern>/_contr/*</url-pattern> 

</filter-mapping> 

 

 

<servlet> 

<servlet-name>IlogController</servlet-name> 

<servlet-class>ilog.views.faces.IlvFacesController</servlet-class> 

<init-param> 

<param-name>ilog.views.faces.ilvAuthorizedServletsList</param-name> 

<param-value>com.ca.wcc.editor.*</param-value> 

</init-param> 

<load-on-startup>1</load-on-startup> 

</servlet> 

 

<servlet-mapping> 

<servlet-name>IlogController</servlet-name> 

<url-pattern>/_contr/*</url-pattern> 

</servlet-mapping> 

 

As an additional information, in the next release we are moving away from IBM ILOG component and this problem would definitely not exist. 

 

 

Additional Information

Permanent fix will be in 11.3.6 SP7