CA20170921-01: Security Notice for CA Identity Manager (CA Identity Suite)
1846
21 September 2017
21 September 2017
OPEN
Issued: September 21, 2017
Last Updated: September 21, 2017
CA Technologies support is alerting customers to a potential risk with the CA Identity Manager product within the CA Identity Suite. A vulnerability exists that can possibly allow a remote attacker to gain sensitive information.
The vulnerability, CVE-2017-9393, occurs due to how login attempts are processed with a locked account. A remote attacker can use an exhaustive search to potentially learn the password of a locked-out account.
Risk Rating
Medium
Platform(s)
All Server Environments where CA Identity Manager can be deployed. Please refer to the Platform Support Matrix in the product documentation at https://docops.ca.com.
Affected Products
CA Identity Manager 14.1, 14.1 Virtual Appliance
CA Identity Manager 14.0, 14.1 Virtual Appliance
CA Identity Manager 12.6 GA through SP8
How to determine if the installation is affected
All CA Identity Manager product versions are affected.
Solution
CA Identity Manager 14.1
- CP-IM-140100-0001 available at https://docops.ca.com/ca-identity-manager/14-1/EN/release-information/release-notes-14-1-cumulative-patches
- CP-IMV-140100-0001 available at https://docops.ca.com/ca-identity-suite/14-1/EN/ca-identity-suite-virtual-appliance/ca-identity-suite-virtual-appliance-14-1-service-packs-and-cumulative-patches/ca-identity-suite-virtual-appliance-14-1-service-packs-and-cumulative-patches (Virtual Appliance)
CA Identity Manager 14.0
- CP-IM-140001-0004 available at https://docops.ca.com/ca-identity-manager/14-0/EN/release-information/release-notes-14-0-cumulative-patches
- CP-IMV-140001-004 available at https://docops.ca.com/ca-identity-suite/14-0/EN/ca-identity-suite-virtual-appliance/ca-identity-suite-virtual-appliance-14-0-service-packs-and-cumulative-patches/ca-identity-suite-virtual-appliance-14-0-service-packs-and-cumulative-patches (Virtual Appliance)
CA Identity Manager 12.6 SP8
- CP-IM-120608-CR1-0010 available at https://docops.ca.com/ca-identity-manager/12-6-8/EN/release-information/release-notes-12-6-08-cumulative-patches
CA Identity Manager 12.6 SP7
- CP-IM-120607-0005 available at https://docops.ca.com/ca-identity-manager/12-6-07/en/release-information/release-notes-12-6-07-cumulative-patches
CA Identity Manager 12.6 SP6
- CP-IM-120606-0003 available at https://docops.ca.com/ca-identity-manager/12-6-6/en/release-information/release-notes-12-6-06-cumulative-patches
CA Identity Manager 12.6 SP5
- CP-IM-120605-CR2-0003 available at https://docops.ca.com/ca-identity-manager/12-6-5/EN/release-information/release-notes-12-6-05-cumulative-patches
CA Identity Manager 12.6 SP4
- CP-IM-120604-CR4-0007 available at https://docops.ca.com/ca-identity-manager/12-6-04/EN/release-notes-12-6-04-cumulative-patches
CA Identity Manager 12.6 GA through SP3
- Open a support ticket to request a hotfix
References
CVE-2017-9393 - CA Identity Manager password exposure
Acknowledgement
CVE-2017-9393 - Jake Miller of Blue Canopy
Change History
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.