It is common practice for companies and organizations to run PEN (penetration) tests to search for vulnerabilities and exploits. CA Broadcom takes vulnerability and exploit management seriously and have a well defined "Vulnerability Lifecycle" procedure.
Part of the procedure is to advise customers of known issues. The CA Broadcom Community Forum (https://community.broadcom.com/home) is the main point of communication so please join and participate.
Below is a summary of issues identified in CA Identity Manager 12.5.x
1. HTTP Only flag not enabled in Session Cookie
2. Secure flag not enabled in Session Cookie
3. Session Fixation vulnerability in 12.5 version
4. Weak Cipher Suites used -TLS 1.1 or below
5. X-XSS-Protection Header not defined in response header
6. Strict Transport Security Misconfiguration
7. : Version Information Disclosure
Release : 12.x
Component : IdentityMinder(Identity Manager)
The issues have been resolved as follows:
1. HTTP Only flag not enabled in Session Cookie
Resolved in 14.x (DE382178).
2. Secure flag not enabled in Session Cookie
Fixed in 14.x (DE382182).
3. Session Fixation vulnerability in 12.5 version
Fixed in 14.x (DE346285).
4. Weak Cipher Suites used -TLS 1.1 or below.
Current (14.x) versions include numerous fixes and options for resolving weak cipher suite vulnerabilities.
5. X-XSS-Protection Header not defined in response header. Resolved in 14.x (
DE349259, DE391685, DE382170, and others.)
6. Strict Transport Security Misconfiguration.
Multiple Strict Transport Security Misconfiguration vulnerabilities have been resolved in current 14.x versions. DE382182,DE392702,DE391641,DE393956.
7. : Version Information Disclosure
Resolved in IM 14.x (DE389995, DE389958, DE391680).