Critical vulnerability with WCC

Document ID : KB000008539
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Autosys application allows injecting Deferred expressions from several input parameters. This is a critical vulnerability.

 

Environment:
WCC Version: 11.4 SP5
Resolution:

1.In your WCC environment, if the end-users are not using “Application Editor” tab to create jobs then we can do following 

a.To update EEM ‘Access policies’ for users to not show ‘Application Editor’  Login to EEM, navigate to ‘Manage Access Policies’, under ‘Policies’|/’Search Policies’ section, choose ‘ApplicationAccess’ policy and uncheck the ApplicationEditor Action for usergroups 

b.To comment following 2 configuration in “/opt/CA/<WorkloadCC>/tomcat/webapps/app-editor/WEB-INF/web.xml” file related to ILOG configuration 

<filter> 

<description>Used to validate values of URL parameters used by iLog to prevent using forbidden values to get access to filesystem.</description> 

<filter-name>ILogResourceFilter</filter-name> 

<filter-class>com.ca.wcc.filter.ILogResourceFilter</filter-class> 

</filter> 

 

<filter-mapping> 

<filter-name>ILogResourceFilter</filter-name> 

<url-pattern>/_contr/*</url-pattern> 

</filter-mapping> 

 

 

<servlet> 

<servlet-name>IlogController</servlet-name> 

<servlet-class>ilog.views.faces.IlvFacesController</servlet-class> 

<init-param> 

<param-name>ilog.views.faces.ilvAuthorizedServletsList</param-name> 

<param-value>com.ca.wcc.editor.*</param-value> 

</init-param> 

<load-on-startup>1</load-on-startup> 

</servlet> 

 

<servlet-mapping> 

<servlet-name>IlogController</servlet-name> 

<url-pattern>/_contr/*</url-pattern> 

</servlet-mapping> 

 

As an additional information, in the next release we are moving away from IBM ILOG component and this problem would definitely not exist. 

 

 

Additional Information:

Permanent fix will be in 11.3.6 SP7