Vulnerability report shows "CVE-2017-7658: HTTP request containing more than one Content-Length header to cause Jetty and an upstream HTTP agent (such as an origin server or another proxy) to interpret the boundary of the HTTP request differently."

Library names:
jetty-http
jetty-server
jetty-util 
jetty-servlet

Is Identity Manager exposed to this vulnerability?

Release:
Component: IDMGR

Identity Manager is not exposed to this vulnerability.

Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.