Identity Manager: Impact of libcurl vulnerabilities CVE-2026-6429 and CVE-2026-7168
search cancel

Identity Manager: Impact of libcurl vulnerabilities CVE-2026-6429 and CVE-2026-7168

book

Article ID: 442788

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Security scanners (such as Tenable Nessus) may flag the libcurl library located in /opt/CA/IdentityManager/ProvisioningServer/lib/libcurl.so.4.4.0 as vulnerable to the following CVEs:

  • CVE-2026-6429: Netrc password leak vulnerability.
  • CVE-2026-7168: Cross-proxy Digest authentication state leak vulnerability.

Environment

  • Product: Identity Manager (IMPS)
  • Versions: 14.5.x, 15.0
  • Platform: RHEL, Windows

Cause

The vulnerabilities exist in libcurl versions prior to 8.20.0. However, an application is only susceptible if it utilizes specific libcurl features and configurations.

Resolution

Broadcom Engineering has confirmed that Identity Manager is not exposed to these vulnerabilities due to the specific way libcurl is implemented within the Provisioning Server.

Technical Analysis

CVE-2026-6429 (Netrc Password Leak)

Triggering this vulnerability requires three conditions to be active simultaneously:

  1. Use of a .netrc file for credentials (CURLOPT_NETRC).
  2. HTTP redirects are followed (CURLOPT_FOLLOWLOCATION).
  3. An HTTP proxy is used (CURLOPT_PROXY).

Identity Manager Implementation: The etacallbacklib only uses the CURLOPT_URL option to set the target server. It does not use .netrc files, nor does it allow redirections or proxy servers for these operations. Therefore, the exploit conditions cannot be met.

CVE-2026-7168 (Cross-Proxy Digest Auth Leak)

This occurs when an application reuses a libcurl handle, switches proxy hosts mid-transfer, and uses Digest Authentication.

Identity Manager Implementation: Identity Manager does not configure CURLOPT_PROXY or Proxy Digest Authentication (CURLOPT_PROXYAUTH) for these notifications. Proxy hosts are never swapped during a handle's lifecycle, making the implementation unaffected.

  •  

Additional Information

Remediation & Roadmap

  • Identity Manager 15.0.1: This release (expected late June 2026) will include libcurl version 8.20.0, which formally mitigates these CVEs.
  • Identity Manager 14.5.x: There are no plans to backport the library update to the 14.5 branch due to toolchain dependencies. However, since the product is not vulnerable to the exploits, no immediate remediation is required for 14.5.x users beyond acknowledging the non-exploitable status.
Powered by Wolken Software