Sense of Security – Security Advisory – SOS-18-002
| Release Date. | 29-Mar-2018 |
| Last Update. | – |
| Vendor Notification Date. | 17-Oct-2017 |
| Product. | CA Workload Automation AE |
| Platform. | Windows |
| Affected versions. | CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier |
| Severity Rating. | Medium |
| Impact. | Exposure of sensitive information Exposure of system information |
| Attack Vector. | Remote with authentication |
| Solution Status. | CA Workload Automation AE Release 11.3.6 SP7 |
| CVE reference. | CVE-2018-8953 |
Details
CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. CA Workload Automation AE suffers from SQL injection vulnerabilities as it fails to validate data supplied before being used in a SQL query.
Please refer to the PDF version of this advisory for affected URLs and proof of concept code examples.
Solution
Apply patch from CA Workload Automation AE Release 11.3.6 SP7 (https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/release-notes/ae-release-notes/ae-release-11-3-6-sp7) released on 2 March 2018.
Additional information is available at:
https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180329-01–security-notice-for-ca-workload-automation-ae.html
Discovered By
Hamed Merati from Sense of Security Labs.