Vulnerabilities in CA Identity Manager libraries

book

Article ID: 131631

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

CA Identity Manager employs a number of javascript libraries.  CA monitors third party code for vulnerabilities and takes appropriate action to address any issues identified.

 

A recent customer penetration test has highlighted the following libraries for investigation. 

/iam/im/app/page/nimsmintegration/api-docs/swaggerui.js 
/iam/im/app/page/nimsmintegration/api-docs/lib/jquery1.8.0.min.js 
/eurekify/portal/resources/org.odlabs.wiquery.core.com mons.CoreJavaScriptResourceReference/jquery/jquery-1.5.2.min.js 

Do these libraries have vulnerabilities which effect CA Identity Manager

 

Environment

CA Identity Manager 14.x
CA Identity Suiet 14.x

Resolution

1. Library: /iam/im/app/page/nimsmintegration/api-docs/swaggerui.js: 

Vulnerability Details: Swagger-UI prior to 2.2.1 has Cross-site Scripting (XSS) via the Default field in the Definitions section. 

Identity Manager (IM) Justification: Since the "Default field" is not exposed via IM-NIM integration, this vulnerability is NOT EXPLOITABLE through IM application. 

2. Library: /iam/im/app/page/nimsmintegration/api-docs/lib/jquery1.8.0.min.js: 

Vulnerability Details: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 

Identity Manager (IM) Justification: As part of IM and NIM integration, IM doesn't allow users to perform cross-domain Ajax requests. Hence, this vulnerability is not exploitable through IM. 

3. Library: /eurekify/portal/resources/org.odlabs.wiquery.core.com mons.CoreJavaScriptResourceReference/jquery/jquery-1.5.2.min.js: 

Vulnerability Details: XSS vulnerability is possible in jQuery before 1.6.3, when using location.hash to select elements, that allows remote attackers to inject arbitrary web script or HTML via a crafted tag. 

Identity Governance (IG) Justification: Identity Governance (IG) doesn’t use jquery-1.5.2.min.js library directly. 

• IG uses Wicket framework and Wicket framework in turn uses wicket integration with JQuery (WIQuery) library. Wicket framework references the mentioned jquery version. 
• IG application doesn’t use location.hash to select page elements, hence IG application is not exploitable with this vulnerability. 


Summary:
Since none of these vulnerabilities are exploitable, CA has no immediate plans to upgrade these libraries as the IMAG applications do not use them directly but rather 3rd party libraries reference them.