The use of an outdated Java UI framework makes CA Automic AWI (formerly Automic or UC4) susceptible to persistent Cross-Site Scripting (XSS). Attackers with limited privileges in AWI can exploit this vulnerability to take over other users’ accounts and to escalate privileges.
“The modern enterprise needs to orchestrate a complex, diverse landscape of applications, platforms and technologies. Workload automation can prove a critical differentiator, but only if it provides intelligent automation driven by data analytics.
CA Automic Workload Automation gives you the agility, speed, visibility and scalability needed to respond to the constantly changing technology landscape. It centrally manages and automates the execution of business processes end-to-end; across mainframe, cloud and hybrid environments in a way that never stops—even when doing an upgrade to the next version.”
Be aware that restrictions on privileges can be bypassed and that attackers may be able to take over other users’ accounts. SEC Consult recommends to apply the vendor patch as soon as possible.
Proof of concept
Vulnerable / tested versions
The tested version of AWI was 12.2.0.
Vendor contact timeline
|2018-10-18:||SEC Consult contacts vendor through email@example.com via encrypted email.|
|2018-10-25:||Vendor confirms the receipt of the vulnerability information.|
|2018-11-22:||Vendor confirms the vulnerability and asks for postponement of advisory release date.|
|2018-12-11:||Vendor provides planned patch numbers.|
|2019-01-17:||Vendor informs SEC Consult that patches have been published.|
|2019-01-18:||CA Technologies and SEC Consult define January 24th 2019 as release date for SEC Consult advisory and CA Technologies Security Notice.|
|2019-01-24:||Public release of security advisory.|
The vendor provides patched versions:
Automic.Web.Interface 12.0.6 HF2
Automic.Web.Interface 12.1.3 HF3
Automic.Web.Interface 12.2.1 HF1
Available from: https://downloads.automic.com/
The vendor released a security advisory which is available here.
EOF M. Nimmerrichter / @2019
Contact our local offices.
- TitleCross-site scripting
- ProductCA Automic Workload Automation Web Interface (AWI), formerly Automic Automation Engine (UC4)
- Vulnerable version12.0, 12.1, 12.2
- Fixed version12.0.6 HF2, 12.1.3 HF3, 12.2.1 HF1
- CVE numberCVE-2019-6504
- ByMarc Nimmerrichter (Office Vienna) SEC Consult Vulnerability Lab