A penetration scan has identified the CVE-2009-4611 vulnerability against a server running the CA Identity Manager JCS (Java Connector Server) 14.3

Is this vulnerability putting our server / network at risk?

Release : 14.3. x

Component : IdentityMinder(Identity Manager)

The CVE-2009-4611 impacts Jetty 6.x through 6.1.22 and 7.0.0. IM JCS uses Jetty v7.2.2 so it is not impacted.  However, the JCS code does include a customization that leverages the servicemix bundle for jetty v6.1.26_1-fuse library. This may result in some false positives reporting the Jetty version as 6.x (this can be seen using curl -vvv).

The vulnerability (CVE-2009-4611), Escape Sequence Injection via "Cookie Dump Servlet", "Http Content-Length header", "jsp/expr.jsp" is not possible against JCS as the custom bundle of jetty v6.1.26_1-fuse library is a trimmed version of just one JAR file without any Sample code comprising the vulnerable Servet ("Cookie Dump Servlet") and JSP ("jsp/expr.jsp").

In summary, there is no way that this vulnerability can be exploited through the Jetty customization used in the JCS server.  The IM JCS uses Jetty libraries for its internal use and does not expose Jetty web container capabilities directly to the end-users. None of the Jetty code that is vulnerable (mentioned in CVE-2009-4611) is exposed via JCS. 

https://nvd.nist.gov/vuln/detail/CVE-2009-4611