Symantec Identity Manager/Portal/Governance - CWE-89 / SQL Injection
search cancel

Symantec Identity Manager/Portal/Governance - CWE-89 / SQL Injection

book

Article ID: 281487

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

A recent scan has shown the possibility of being exposed to CWE-89.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

https://cwe.mitre.org/data/definitions/89.html

Environment

Release : 14.X

Component : Virtual Appliance

Component : Identity Manager

Resolution

Identity Manager:
Is NOT vulnerable to SQL injections. 
Sustaining Engineering has reviewed this vulnerability and has confirmed that the product is not vulnerable or exploitable in this manner.

Identity Portal:
Is NOT vulnerable to SQL injections. 
Justification: Identity Portal's data access layer and the whole schema is designed based on JPA entities only. There are no native SQL parameterized queries used in it. DAO layer leverages only POJOs for it's interation with DB layer.

Identity Governance:
Is NOT vulnerable to SQL injections. 
Justification: Identity Governance leverages prepared statements for all the user initiated interactions at the DAO layer to prevent SQL injections.

Reference: DE592006

Powered by Wolken Software