Multiple Vulnerabilities in Symantec Identity Manager 14.4
Summary
Symantec has released an update to address below issues that were discovered in Symantec Identity Manager 14.4:
- Authentication Bypass of Management Console in Symantec Identity Manager 14.4
- Remote Command Execution (RCE) on Management Console in Symantec Identity Manager 14.4
- XML eXternal Entity injection (XXE) on Management Console in Symantec Identity Manager 14.4
Affected Product(s)
| Identity Governance And Administration-Identity Manager | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2022-25626 CVE-2022-25627 CVE-2022-25628 |
14.3 14.4 |
|
Issue Details
| CVE-2022-25626 | |
| Severity / CVSS v3.0: | High/8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) |
| References: | NVD: CVE-2022-25626 |
| Impact: | Authentication Bypass |
| Description: | An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session. |
| CVE-2022-25627 | |
| Severity / CVSS v3.0: | High/7.2 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L) |
| References: | NVD: CVE-2022-25627 |
| Impact: | Remote Command Execution (RCE) |
| Description: | An authenticated administrator who has physical access to the environment can carry out Remote Command Execution on Management Console in Symantec Identity Manager 14.4 |
| CVE-2022-25628 | |
| Severity / CVSS v3.0: | Low/3.1(AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N) |
| References: | NVD: CVE-2022-25628 |
| Impact: | XML eXternal Entity injection (XXE) |
| Description: | An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4 |
Acknowledgements
- CVE-2022-25626: Hugo Boutinon & Undr of AXA Group Security
- CVE-2022-25627: Hugo Boutinon & Undr of AXA Group Security
- CVE-2022-25628: Hugo Boutinon & Undr of AXA Group Security
References
IGA 14.4:
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
IGA 14.3:
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
Revisions
2023-01-20 Updated the AV for CVE-2022-25627 from AV:H/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L to AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L
2022-12-16 Initial public release