During vulnerability scanning, CA IDM (Identity Manager) JAVA Connector Server (JCS) was running HTTP TRACE / TRACK

Reference:

CVE-2003-1567,

CVE-2004-2320,

CVE-2010-0386

Release : 14.X

Component : IdentityMinder(Identity Manager)

False Positive

To prove this is a false positive the below curl commands can be used.

Command that most vulnerability scanning tools run (false positive):
curl --insecure -v -X TRACE https://localhost:20443

Results:

< HTTP/1.1 302 Found
< Location: https://localhost:20443/main
< Content-Length: 0
< Server: Jetty(6.1.x)

Even though the results are a 302 Found, a 302 found in this scenario is performing a redirect to https://localhost:20443/main as shown by the Location field.

Reference:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302

The proper command to test with is:
curl --insecure -v -X TRACE https://localhost:20443/main

Results:

< HTTP/1.1 405 Method Not Allowed
< Set-Cookie: JSESSIONID=1tyxxxxxxxxxxxxxxxxxxxxxx4at;Path=/
< Content-Length: 0
< Server: Jetty(6.1.x)

The vulnerability scanning tool needs to test directly against the proper path, instead, it is reading the 203 Found (redirect) as a positive result when it is not allowed.

The CA IAM Connector Server uses Apache ServiceMix and specifically Camel (Jetty) for routing of HTTP/HTTPS traffic, which is turned off by default (this is the implementation that is used with CA IM)

For more information please refer to the general discussion on disabling http trace from Apache ServiceMix/Camel in the link below (traceEnabled false Specifies whether to enable HTTP TRACE for this Jetty consumer. ): 

http://camel.apache.org/jetty.html