CA20190904-01: Security Notice for CA Common Services Distributed Intelligence Architecture (DIA)
Issued: September 4th, 2019
Last Updated: October 14, 2019
CA Technologies Support is alerting customers to a potential risk with CA Common Services in the Distributed Intelligence Architecture (DIA) component. A vulnerability exists, CVE-2019-13656, that can allow a remote attacker to execute arbitrary code. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately.
Risk Rating
High
Platform(s)
All supported platforms
Affected Products
CA Common Components DIA
CA Technologies products that bundle this software include:
CA Client Automation 14 and later versions
CA Workload Automation AE 11.3.5 and 11.3.6
How to determine if the installation is affected
CA Client Automation:
Customers should review the Solution section to determine whether the fix is present. The installation is vulnerable only when the Distributed Intelligence Architecture (DIA) service is installed.
CA Workload Automation Autosys:
The Distributed Intelligence Architecture (DIA) service is installed only when any (or all) of the following components from the CA Common Components DVD are installed
- Common Communication Interface (CCI) – To schedule jobs on Mainframe/JMO
- Event Manager
- MCC
Run the following commands to determine DIA Installation:
Linux/Unix
- command ‘unifstat’
- If the output contains "CA-diadna", then DIA is running and warrants patch installation.
Windows
- Verify if the service "CA DIA 1.3 DNA" is running in system services - Start>Run>services.msc
- If the service "CA DIA 1.3 DNA" is listed, then it warrants patch installation
Solution
CA published the following solutions to address the vulnerabilities. Fixes are available on the CA support site.
CA Client Automation:
Windows
Solution: SO09605
Linux
Solution: SO09633
CA Workload Automation Autosys:
The following are the fixes published by the Workload Automation Autosys Product team for the vulnerability CVE-2019-13656 reported against Distributed Intelligence Architecture (DIA) shipped with CA Common Components DVD.
Windows
Solution: SO09111
Linux
Solution: SO09057
HP-UX
Solution: SO09086
Solaris
Solution: SO09084
AIX
Solution: SO09085
Patch Validation
The script applypatch.bat for Windows and applypatch.sh for Linux and Unix platforms when run should not produce any errors in its console output. The script starts the NSM services at the end of the patch application process. A successful patch application is manifested in the form of all services coming up successfully.
References
CVE-2019-13656 - Ca Common Services remote code execution
Acknowledgement
CVE-2019-13656 - Fredrik Ravne, Oslo Børs
Change History
Version 1.0: 2019-09-04 - Initial Release
Version 2.0: 2019-10-14 - Updated how to determine section and solution section for Workload Automation Autosys
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.