Issued: September 21, 2017
Last Updated: September 21, 2017

CA Technologies support is alerting customers to a potential risk with the CA Identity Manager product within the CA Identity Suite. A vulnerability exists that can possibly allow a remote attacker to gain sensitive information.

The vulnerability, CVE-2017-9393, occurs due to how login attempts are processed with a locked account. A remote attacker can use an exhaustive search to potentially learn the password of a locked-out account.

Risk Rating

Medium

Platform(s)

All Server Environments where CA Identity Manager can be deployed. Please refer to the Platform Support Matrix in the product documentation at https://docops.ca.com.

Affected Products

CA Identity Manager 14.1, 14.1 Virtual Appliance
CA Identity Manager 14.0, 14.1 Virtual Appliance
CA Identity Manager 12.6 GA through SP8

How to determine if the installation is affected

All CA Identity Manager product versions are affected.

Solution

CA Identity Manager 14.1

• CP-IM-140100-0001 available at https://docops.ca.com/ca-identity-manager/14-1/EN/release-information/release-notes-14-1-cumulative-patches
• CP-IMV-140100-0001 available at https://docops.ca.com/ca-identity-suite/14-1/EN/ca-identity-suite-virtual-appliance/ca-identity-suite-virtual-appliance-14-1-service-packs-and-cumulative-patches/ca-identity-suite-virtual-appliance-14-1-service-packs-and-cumulative-patches (Virtual Appliance)

CA Identity Manager 14.0

• CP-IM-140001-0004 available at https://docops.ca.com/ca-identity-manager/14-0/EN/release-information/release-notes-14-0-cumulative-patches
• CP-IMV-140001-004 available at https://docops.ca.com/ca-identity-suite/14-0/EN/ca-identity-suite-virtual-appliance/ca-identity-suite-virtual-appliance-14-0-service-packs-and-cumulative-patches/ca-identity-suite-virtual-appliance-14-0-service-packs-and-cumulative-patches (Virtual Appliance)

CA Identity Manager 12.6 SP8

• CP-IM-120608-CR1-0010 available at https://docops.ca.com/ca-identity-manager/12-6-8/EN/release-information/release-notes-12-6-08-cumulative-patches

CA Identity Manager 12.6 SP7

• CP-IM-120607-0005 available at https://docops.ca.com/ca-identity-manager/12-6-07/en/release-information/release-notes-12-6-07-cumulative-patches

CA Identity Manager 12.6 SP6

• CP-IM-120606-0003 available at https://docops.ca.com/ca-identity-manager/12-6-6/en/release-information/release-notes-12-6-06-cumulative-patches

CA Identity Manager 12.6 SP5

• CP-IM-120605-CR2-0003 available at https://docops.ca.com/ca-identity-manager/12-6-5/EN/release-information/release-notes-12-6-05-cumulative-patches

CA Identity Manager 12.6 SP4

• CP-IM-120604-CR4-0007 available at https://docops.ca.com/ca-identity-manager/12-6-04/EN/release-notes-12-6-04-cumulative-patches

CA Identity Manager 12.6 GA through SP3

• Open a support ticket to request a hotfix

References

CVE-2017-9393 - CA Identity Manager password exposure

Acknowledgement

CVE-2017-9393 - Jake Miller of Blue Canopy

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at http://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.