Twenty Year Anniversary

CA Workload Automation AE / CA Workload Control Center SQL Injection / Code Execution

CA Workload Automation AE / CA Workload Control Center SQL Injection / Code Execution
Posted Mar 30, 2018
Authored by Ken Williams | Site www3.ca.com

CA Technologies Support is alerting customers to two potential risks with CA Workload Automation AE and CA Workload Control Center. Two vulnerabilities exist that can allow a remote attacker to conduct SQL injection attacks or execute code remotely. The first vulnerability in CA Workload Automation AE has a medium risk rating and concerns insufficient data validation that can allow an authenticated remote attacker to conduct SQL injection attacks. The second vulnerability in CA Workload Control Center has a high risk rating and concerns an Apache MyFaces configuration that can allow an authenticated remote attacker to conduct remote code execution attacks.

tags | advisory, remote, vulnerability, code execution, sql injection
advisories | CVE-2018-8953, CVE-2018-8954
MD5 | 935c0394f16b00a60479a80993828cee

CA Workload Automation AE / CA Workload Control Center SQL Injection / Code Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CA20180329-01: Security Notice for CA Workload Automation AE and CA
Workload Control Center

Issued: March 29, 2018
Last Updated: March 29, 2018

CA Technologies Support is alerting customers to two potential risks
with CA Workload Automation AE and CA Workload Control Center. Two
vulnerabilities exist that can allow a remote attacker to conduct SQL
injection attacks or execute code remotely.

The first vulnerability, CVE-2018-8953, in CA Workload Automation AE,
has a medium risk rating and concerns insufficient data validation
that can allow an authenticated remote attacker to conduct SQL
injection attacks.

The second vulnerability, CVE-2018-8954, in CA Workload Control
Center, has a high risk rating and concerns an Apache MyFaces
configuration that can allow an authenticated remote attacker to
conduct remote code execution attacks.


Risk Rating

CVE-2018-8953 - Medium
CVE-2018-8954 - High


Platform(s)

All supported platforms


Affected Products

CVE-2018-8953:
CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier
CVE-2018-8954:
CA Workload Control Center (CA WCC) r11.4 SP5 and earlier


Unaffected Products

CA Workload Automation AE r11.3.5 with appropriate fixes listed
below
CA Workload Automation AE r11.3.6 SP7
CA Workload Control Center (CA WCC) r11.4 SP5 with appropriate
fixes listed below
CA Workload Control Center (CA WCC) r11.4 SP6


How to determine if the installation is affected

Customers may use the CA Workload Automation AE / CA Workload Control
Center interface to find the installed version and then use the table
in the Affected Products section to determine if the installation is
vulnerable.


Solution

CA Technologies published the following solutions to address the
vulnerabilities.

CA Workload Automation AE r11.3.5:
Apply the appropriate patch for your platform:
Windows: SO00700
HP: SO00696
AIX: SO00695
Sun: SO00694
Linux: SO00693

CA Workload Automation AE r11.3.6:
Apply SP7.

CA Workload Control Center (CA WCC) r11.4 SP5:
Apply patch RO99200 or CA Workload Control Center (CA WCC) r11.4 SP6


References

CVE-2018-8953 - CA Workload Automation AE SQL injection
CVE-2018-8954 - CA Workload Control Center MyFaces RCE


Acknowledgement

CVE-2018-8953 - Hamed Merati from Sense of Security Labs
CVE-2018-8954 - Hamed Merati and Kacper Nowak from Sense of
Security Labs


Change History

Version 1.0: Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
send a report to CA Technologies Product Vulnerability Response
at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782


Regards,

Regards,
Ken Williams
Vulnerability Response Director
CA Technologies Product Vulnerability Response Team

Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 16620)
Charset: utf-8

wsFVAwUBWr2G/8Mr2sgsME5lAQoYsQ//Tt/AFWC716QPLJLhQtdwIkMuD1xjEjeM
VXnLjDxakia0czUXWKkvL44O8SINlhPqgu0PJe7soGTvq1AqSO1BlX5nTSlcz0lS
3IWj3CZQnGIx15blX6nfWAdIO8mwH7Yxc/FtG2QT3AmjuJW+C9sxAljcCv9fK2Rk
dY9om/tSmCXYwfuy/z4jpEqRXZLyOhYQ9P3+32oWSJeD4xSnifcUxbtLvm3urI9o
es14hVTL4fnX2/E33hK1ndNRuQaGuGz0oy5xLWhJ8MmkDK404tZnATRvwH5jLASY
m5JRIY61kg+G1MBIYU/F88zSw8aODyNnK3DKpcVS6fvCa46IPunVWvh7+YRRgc70
hjR+1F5MIJ+fg9qudWD0BdKQiqXJ0jHBS/N/bannUcP8FkHUdIzgUIwgxOpg7wPf
+UsmOcIzvS2zs6PNES/6XdDc1MRrmbZhM0BNZaniue7rgNhaDsSPAuXPwcJDRurv
bFfvqiA01Lt/BIgkbUjHTHbd4XiS46XLgtzxbXwlC7SgKgWViQgwMY7I/KQEIrqG
tuvjV8BwJdOVFN6UPFNvY/0FEf1C7pVcrIaxVZpWOGnZKddIvU6Dm/Arf+ezW09h
/Tc8wpW3SLh8MrEONN++VeCtUhuWAwnCqx/fA8JCGWYEfjp7WXlGMgArWNRc1WmD
tfPwcRGax7A=
=mX47
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close