Critical vulnerability with WCC
search cancel

Critical vulnerability with WCC

book

Article ID: 8539

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

Autosys application allows injecting Deferred expressions from several input parameters. This is a critical vulnerability.

 

Environment

WCC Version: 11.4 SP5

Resolution

1.In your WCC environment, if the end-users are not using “Application Editor” tab to create jobs then we can do following 

a.To update EEM ‘Access policies’ for users to not show ‘Application Editor’  Login to EEM, navigate to ‘Manage Access Policies’, under ‘Policies’|/’Search Policies’ section, choose ‘ApplicationAccess’ policy and uncheck the ApplicationEditor Action for usergroups 

b.To comment following 2 configuration in “/opt/CA/<WorkloadCC>/tomcat/webapps/app-editor/WEB-INF/web.xml” file related to ILOG configuration 

<filter> 

<description>Used to validate values of URL parameters used by iLog to prevent using forbidden values to get access to filesystem.</description> 

<filter-name>ILogResourceFilter</filter-name> 

<filter-class>com.ca.wcc.filter.ILogResourceFilter</filter-class> 

</filter> 

 

<filter-mapping> 

<filter-name>ILogResourceFilter</filter-name> 

<url-pattern>/_contr/*</url-pattern> 

</filter-mapping> 

 

 

<servlet> 

<servlet-name>IlogController</servlet-name> 

<servlet-class>ilog.views.faces.IlvFacesController</servlet-class> 

<init-param> 

<param-name>ilog.views.faces.ilvAuthorizedServletsList</param-name> 

<param-value>com.ca.wcc.editor.*</param-value> 

</init-param> 

<load-on-startup>1</load-on-startup> 

</servlet> 

 

<servlet-mapping> 

<servlet-name>IlogController</servlet-name> 

<url-pattern>/_contr/*</url-pattern> 

</servlet-mapping> 

 

As an additional information, in the next release we are moving away from IBM ILOG component and this problem would definitely not exist. 

 

 

Additional Information

Permanent fix will be in 11.3.6 SP7

Powered by Wolken Software