In this Section

Sense of Security – Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection

Sense of Security – Security Advisory – SOS-18-002

Release Date. 29-Mar-2018
Last Update.
Vendor Notification Date. 17-Oct-2017
Product. CA Workload Automation AE
Platform. Windows
Affected versions. CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier
Severity Rating. Medium
Impact. Exposure of sensitive information
Exposure of system information
Attack Vector. Remote with authentication
Solution Status. CA Workload Automation AE Release 11.3.6 SP7
CVE reference. CVE-2018-8953

Details

CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. CA Workload Automation AE suffers from SQL injection vulnerabilities as it fails to validate data supplied before being used in a SQL query.

Please refer to the PDF version of this advisory for affected URLs and proof of concept code examples.

Solution

Apply patch from CA Workload Automation AE Release 11.3.6 SP7 (https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/release-notes/ae-release-notes/ae-release-11-3-6-sp7) released on 2 March 2018.

Additional information is available at:

https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180329-01–security-notice-for-ca-workload-automation-ae.html

Discovered By

Hamed Merati from Sense of Security Labs.