Security scans on servers hosting Identity Manager (IDM) 15 identify several vulnerabilities related to outdated library versions within the /opt/brcm/iga/conda/lib/ path.

Common findings include:

libcrypto.so.3: Reported version 3.5.0 (Vulnerable to OpenSSL exploits)

libcurl.so.4.8.0: Reported version 8.13.0

vim: Reported version 8.2 (In /usr/bin/vim).

Product: CA Identity Manager 15.0
Platform: Red Hat Enterprise Linux 9.7 (Plow)
Component: IGA Xpress (IGX) 1.0

The vulnerabilities are associated with the older versions of OpenSSL and libcurl bundled within the IGA Xpress (IGX) 1.0 environment.

To resolve the vulnerabilities for libcrypto and libcurl distributed by Broadcom, you must upgrade to IGA Xpress  1.1.

Verification Steps

To confirm the current versions, run the following commands:

Check OpenSSL version with the command: strings /opt/brcm/iga/conda/lib/libcrypto.so.3 | grep "^OpenSSL"

Current (IGX 1.0): OpenSSL 3.5.0
Updated (IGX 1.1): OpenSSL 3.6.1

Check libcurl version with the command: strings /opt/brcm/iga/conda/lib/libcurl.so.4.8.0 | grep -i "libcurl/"

Current (IGX 1.0): libcurl/8.13.0
Updated (IGX 1.1): libcurl/8.19.0

The version of Vim is not updated by the IGX 1.1 upgrade because it is not part of the Broadcom package. Users must update Vim via their operating system's package manager