Vulnerability - CVE-2004-2734,CVE-2014-0053 - in Java Connector Server

book

Article ID: 221256

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Accessing JCS web console is possible using the following URLs:

http://10.100.38.18:20080/WEB-INF/web.xml
https://10.100.38.18:20443/WEB-INF/web.xml

This is JCS vulnerability, because web.xml must be private, and the above pages should not be visible.

Environment

Release : 14.3 CP2

Component : IdentityMinder(Identity Manager)

Resolution

New hotfix HF_DE509670 provided to address CVE-2004-2734 and CVE-2014-0053 vulnerabilities in Java Connector Server console.
The fix has to be installed on top of 14.3 CP2.

The fix is included in IM 14.4