search cancel

Is Identity Manager/vAPP vulnerable to CVE-2022-42889

book

Article ID: 252489

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

 

Does 14.4 ship with, have repackaged, or utilize the affected classes and/or jar outlined in the CVE listed in the subject?

 

CVE-2022-42889 is a newly listed vulnerability as of Oct 13, 2022:

 

https://nvd.nist.gov/vuln/detail/CVE-2022-42889#range-8454284

This is a code script injection vulnerability, base score 9.8 Critical.

Environment

Release : 14.4

Resolution

Engineering confirmed that there are no vulnerabilities from CVE-2022-42889 for IDM.  The vulnerable jar file, commons-text-*.jar,  is not shipped with or used by IDM or any Identity Suite components. CVE-2022-42889 doesn't affect IDM or vApp.