Issued: September 21, 2017
Last Updated: September 21, 2017
CA Technologies support is alerting customers to a potential risk with the CA Identity Manager product within the CA Identity Suite. A vulnerability exists that can possibly allow a remote attacker to gain sensitive information.
The vulnerability, CVE-2017-9393, occurs due to how login attempts are processed with a locked account. A remote attacker can use an exhaustive search to potentially learn the password of a locked-out account.
All Server Environments where CA Identity Manager can be deployed. Please refer to the Platform Support Matrix in the product documentation at https://docops.ca.com.
CA Identity Manager 14.1, 14.1 Virtual Appliance
CA Identity Manager 14.0, 14.1 Virtual Appliance
CA Identity Manager 12.6 GA through SP8
How to determine if the installation is affected
All CA Identity Manager product versions are affected.
CA Identity Manager 14.1
CA Identity Manager 14.0
CA Identity Manager 12.6 SP8
CA Identity Manager 12.6 SP7
CA Identity Manager 12.6 SP6
CA Identity Manager 12.6 SP5
CA Identity Manager 12.6 SP4
CA Identity Manager 12.6 GA through SP3
CVE-2017-9393 - CA Identity Manager password exposure
CVE-2017-9393 - Jake Miller of Blue Canopy
Version 1.0: Initial Release
A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.
If additional information is required, please contact CA Technologies Support at http://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.