search cancel

Is IDM Vulnerable to CVE-2022-26336 or CVE-2017-12626

book

Article ID: 241206

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Is Identity Manager vulnerable to the below CVE attack CVE-2022-26336 or CVE-2017-12626?

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.

 

Environment

Release : 14.3

Component : IdentityMinder(Identity Manager)

Resolution

These POI libraries are being used in IDM Bulkloader upload feed, where we are parsing the .csv or .xls files only, this vulnerability is exploitable when you parse the .TNEF file formats, which we are not doing from the application. 

IDM is NOT vulnerable to such attacks.