Sense of Security – Security Advisory – SOS-18-001
| Release Date. | 29-Mar-2018 |
| Last Update. | – |
| Vendor Notification Date. | 25-Oct-2017 |
| Product. | CA Workload Automation AE |
| Platform. | Windows |
| Affected versions. | CA Workload Control Center (CA WCC) r11.4 SP5 and earlier |
| Severity Rating. | High |
| Impact. | System Access |
| Attack Vector. | Remote with authentication |
| Solution Status. | CA WCC Release 11.4 SP6 |
| CVE reference. | CVE-2018-8954 |
Details
CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. Apache MyFaces is an implementation of Java Server Faces (JSF). CA Workload Automation AE uses MyFaces client-side ViewState and has disabled the default encryption (i.e. org.apache.myfaces.USE_ENCRYPTION). As a result, the attacker can send a malicious serialised payload in the ViewState back to the server. MyFaces will try to deserialise the provided ViewState and the payload will be executed even before the deserialisation of the ViewState has ended. This allows an authenticated remote attacker to conduct remote code execution attacks and obtain system level access.
All URLs that accept javax.faces.ViewStateparameter are vulnerable to this attack.
Please refer to the PDF version of this advisory for proof of concept code examples.
Solution
Apply patch from CA WCC Release 11.4 SP6 (https://docops.ca.com/ca-workload-automation-ae/11-4-2/en/release-notes/ca-wcc-release-notes/ca-wcc-release-11-4-sp6) released on 8 March 2018.
Additional information is available at:
https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180329-01–security-notice-for-ca-workload-automation-ae.html
Discovered By
Hamed Merati and Kacper Nowak from Sense of Security Labs.