Automic 12.3 - CVE-2022-33756 - entropy weakness vulnerability in Automation Engine
search cancel

Automic 12.3 - CVE-2022-33756 - entropy weakness vulnerability in Automation Engine


Article ID: 249945


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation


Please see CA20220609-01: Security Notice for CA Automic Automation and CVE-2022-33756 for information on vulnerabilities found in the Automation Engine:

CVE-2022-33756, occurs due to an entropy bug in the Automic AutomationEngine.  A remote attacker can potentially access sensitive data.

This article will discuss the steps to mitigate this in 12.3


Automation Engine and Agents: 12.3


Entropy bug in authentication modes NO and LOCAL


Manual method (12.3.9 HF1 and earlier):
In 12.3.9 HF1 and earlier versions, the manual method is needed.  The main steps are outlined in the documentation here.  They consist of setting up LOCAL_REMOTE (steps 1 through 4), Downloading an Authentication Package (steps 5 through 8), and moving the package and updating the agent ini (steps 9 through 12).

Non-Manual method (12.3.9 HF2):

Note: If you are using authentication method LOCAL_REMOTE and would like to continue to do so, no update is necessary.  The following applies to systems using authentication mode LOCAL or NO (default) in UC_AS_SETTINGS.  It is not recommended to use authentication mode NO for authentication and security reasons.
If you update agents to 12.3.9 HF2 within a 21.0.x version environment, they will only be able to connect to an Automation Engine version and service pack of 21.0.5 or later (Available)

With the release of 12.3.9 HF2, this vulnerability has been removed from the product. 

The steps that will need to be taken:

  1. Open the client 0 variable UC_AS_SETTINGS.  Ensure that key GSS_COMPATIBILITY is either not in the variable or is set to YES
  2. Upgrade the automation engine components to 12.3.9 HF2 (please note that this also requires an update to the utilities and initialdata, as well as the AWI) 
  3. Upgrade all agents to 12.3.9 HF2.  Please note that CAU can be used for agent upgrades.
  4. Once everything has been upgraded, log on to system Client 0 and open the Administration perspective
  5. Open the list of agents
  6. Renew the transfer key for each agent that was upgraded - this will give a strong entropy key to the agents and mitigate the vulnerability - if the transfer key is not renewed, the agents will continue to use a lower entropy key.

[OPTIONAL] - once all agents are upgraded to a version with strong entropy keys, if you would like to restrict the system to only allow higher entropy-keyed agents to connect:

NOTE: if the GSS_COMPATIBILITY setting is updated to NO, only agents on 12.3.9 HF2 that have had their transfer key renewed will be able to connect to the system.  Any agents that are version 12.3.9 HF1 or below, OR are updated to 12.3.9 HF2 but have not had their transfer key renewed, will be unable to connect to the system.

  1. Log into Client 0
  2. Open the UC_AS_SETTINGS variable
  3. Set the key GSS_COMPATIBILITY to NO and save the variable
  4. Restart the WPs and CPs

Additional Information


Q) Can agents on 12.3.9 HF1 or lower continue to connect to a system where the automation engine is on 12.3.9 HF2?
A) Yes, as long as GSS_COMPATIBILITY is still set to YES in UC_AS_SETTINGS

Q) Does the renewal of the transfer key require the agent to be stopped/restart?
A) Yes

Q) Can AUTHENTICATION in UC_AS_SETTINGS continue to be blank or set to NO after updating everything to 12.3.9 HF2?  
A) Yes

Q) Can the agent transfer keys be renewed on 12.3.9 HF2 while GSS_COMPATIBILITY is set to NO?
A) Yes

Q) Can agents updated to 12.3.9 HF2 whose keys have been renewed connect to a system with GSS_COMPATIBILITY set to YES?
A) Yes

Q) Can agents updated to 12.3.9 HF2 connect to 21.0 systems?
A) Not at this time.  When 21.0.5 is released - planned for February of 2023 - they will then be able to connect

Q) Are only system Agents concerned by this entropy issue?
A) This is a GSS problem. GSS is a security layer used for the authentication of Agents and also for encrypting the traffic. It is implemented in the CPs and all components which connect to it. These changes do not only apply to OS agents but also Java based Agents(RA, SAP and so forth..).