Known CA Identity Manager Vulnerabilities
search cancel

Known CA Identity Manager Vulnerabilities

book

Article ID: 138385

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

It is common practice for companies and organizations to run PEN (penetration) tests to search for vulnerabilities and exploits.  CA Broadcom takes vulnerability and exploit management seriously and have a well defined "Vulnerability Lifecycle" procedure.


Part of the procedure is to advise customers of known issues.  The CA Broadcom Community Forum (https://community.broadcom.com/home) is the main point of communication so please join and participate.


Below is a summary of issues identified in CA Identity Manager 12.5.x 


1. HTTP Only flag not enabled in Session Cookie 

2. Secure flag not enabled in Session Cookie 

3. Session Fixation vulnerability in 12.5 version 

4. Weak Cipher Suites used -TLS 1.1 or below 

5. X-XSS-Protection Header not defined in response header 

6. Strict Transport Security Misconfiguration 

7. : Version Information Disclosure 


Environment

Release : 12.x

Component : IdentityMinder(Identity Manager)

Resolution

The issues have been resolved as follows:



1. HTTP Only flag not enabled in Session Cookie

Resolved in 14.x (DE382178).



2. Secure flag not enabled in Session Cookie

Fixed in 14.x (DE382182).



3. Session Fixation vulnerability in 12.5 version

Fixed in 14.x (DE346285).



4. Weak Cipher Suites used -TLS 1.1 or below. 


Current (14.x) versions include numerous fixes and options for resolving weak cipher suite vulnerabilities.  



5. X-XSS-Protection Header not defined in response header. Resolved in 14.x (

DE349259, DE391685, DE382170, and others.) 



6. Strict Transport Security Misconfiguration.

Multiple Strict Transport Security Misconfiguration vulnerabilities have been resolved in current 14.x versions. DE382182,DE392702,DE391641,DE393956.  



7. : Version Information Disclosure

Resolved in IM 14.x (DE389995, DE389958, DE391680).