Vulnerability report shows "CVE-2017-7656: HTTP Request Smuggling when used with invalid request headers for HTTP/0.9."

Library names:
jetty-http
jetty-server
jetty-util 
jetty-servlet

Is Identity Manager exposed to this vulnerability?

 

Identity Manager 14.x

Identity Manager is not exposed to this vulnerability.

Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.