Change Download Preference

Current Preference
Change Preference to:

CA20170921-01: Security Notice for CA Identity Manager (CA Identity Suite)

Issued: September 21, 2017
Last Updated: September 21, 2017

CA Technologies support is alerting customers to a potential risk with the CA Identity Manager product within the CA Identity Suite. A vulnerability exists that can possibly allow a remote attacker to gain sensitive information.

The vulnerability, CVE-2017-9393, occurs due to how login attempts are processed with a locked account. A remote attacker can use an exhaustive search to potentially learn the password of a locked-out account.

Risk Rating



All Server Environments where CA Identity Manager can be deployed. Please refer to the Platform Support Matrix in the product documentation at

Affected Products

CA Identity Manager 14.1, 14.1 Virtual Appliance
CA Identity Manager 14.0, 14.1 Virtual Appliance
CA Identity Manager 12.6 GA through SP8

How to determine if the installation is affected

All CA Identity Manager product versions are affected.


CA Identity Manager 14.1

CA Identity Manager 14.0

CA Identity Manager 12.6 SP8

CA Identity Manager 12.6 SP7

CA Identity Manager 12.6 SP6

CA Identity Manager 12.6 SP5

CA Identity Manager 12.6 SP4

CA Identity Manager 12.6 GA through SP3

  • Open a support ticket to request a hotfix


CVE-2017-9393 - CA Identity Manager password exposure


CVE-2017-9393 - Jake Miller of Blue Canopy

Change History

Version 1.0: Initial Release

A notification about this security notice will be sent to customers who are subscribed to Proactive Notifications.

If additional information is required, please contact CA Technologies Support at

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.