HTTP Tracing Vulnerability on IDM JCS Servers


Article ID: 195710


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


During vulnerability scanning, a customer identified the CA IDM (Identity Manager) JAVA Connector Server (JCS) was running HTTP tracing






This is a false positive.


Release : 14.3

Component : IdentityMinder(Identity Manager)


In general terms, the JCS is supposed to be inside the network and not exposed to the DMZ or the internet and therefore the HTTP TRACE method active should not be considered a security vulnerability.  However in this case we are able to confirm that the issue is a false positive.  HTTP TRACE is turned off on the JCS.


You can review this in your own environment, using Google Chrome and the development tools.


Open Google Chrome > Press F12 or go to developer tools > Click on Application Tab > Load the URL for your connector server in the browser header > Click on cookies on the left panel > Select your cookie > Confirm that HTTP Only is not enabled.

Note: If it doesn't show up that means it is disabled. traceEnabled false Specifies whether to enable HTTP TRACE for this Jetty consumer. By default, TRACE is turned off. In our deployment, it is off.


In the screenshot above you will see that HTTP Only does not have a checkbox which means it is turned off.