CA Identity Manager Bulk Loader Security Flaw
search cancel

CA Identity Manager Bulk Loader Security Flaw

book

Article ID: 277556

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

While using a Bulk Loader task to execute any "Modify-User" type of task, there are no limits in which attribute can be modified. The Bulk Loader task does not pass through screen validation. Therefore, password, state, or any other user attribute can be modified even though it is NOT present in the screen of the used "Modify-User" task or if it is present but set as Read-Only.
 
 
 
 
 

Environment

IDM 14.4 and later

Cause

 
This represents a flawed design and above all a substantial risk for the clients using Bulk Client (which requires Bulk Loader task to have WebServices enabled - hence accessible by TEWS as well).

Resolution

 
If wanting to avoid this risk, the only possible workaround is to implement PX/BLTH on ALL tasks accessible through Bulk Loader and in the scope of the users with permission to use Bulk Loader tasks. PX/BLTH should not be used to bypass product security flaws.
 
Code changes have been made to improve the Bulk Loader task with validation.

Additional Information

Reference Defect#DE580756