A penetration test has flagged the Spring framework library 4.3.4 version which ships with CA Identity Manager (Symantec IGA) as having a Remote Code Execution vulnerability, CVE-2018-1270.  https://nvd.nist.gov/vuln/detail/CVE-2018-1270

Is there a patch or fix available for this?

Release : 14.3

Component : Identity Manager

IM Engineering has assessed this vulnerability and supplied the following feedback:

CA Identity Manager (IM) does not currently support a newer version of spring, however, the IM is not impacted by this vulnerability. 

CVE-2018-1270 is a reference of the STOMP service which is exposed in the spring-message module which we do not ship.  

As per our analysis and the links below, IM is not impacted by this vulnerability as we do not ship the spring-message module.

https://access.redhat.com/security/cve/CVE-2018-1270

https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce/java/sid-6069