Security scans identify that the directory https://####/icons/ is available for browsing on the Virtual Appliance (vApp).

• Users can list the contents of the /icons/ folder.
• Standard httpd.conf modifications are restricted for the config user on the vApp, preventing manual deactivation of directory indexes.

• CA Identity Suite Virtual Appliance
• Version r14.5.1 (including CHF1 and CHF2)

The default Apache configuration on the Virtual Appliance allowed directory indexing for the /icons/ alias, which is flagged by security compliance scanners as a vulnerability.

A specific hotfix has been developed under defect DE670464 to disable directory browsing for the /icons/ path. 

1. Download the hotfix: HF_VA-14.5.1-20260511143804-DE670464.tgz.gpg
2. Apply the hotfix to the affected vApp instances via the standard patch management interface.

Verification: After applying the patch, attempt to browse to https://####/icons/. The server should now return a 403 Forbidden or 404 Not Found error instead of a directory listing.

If you require access to the hotfix file, please contact Broadcom Support and reference defect DE670464.