Change Download Preference


{{errorInSavingPref}}
Current Preference
{{dwnldPreference}}
Change Preference to:

CA20181017-01: Security Notice for CA Identity Governance

Issued: October 17, 2018
Last Updated: October 17, 2018

CA Technologies Support is alerting customers to a low risk issue with CA Identity Governance. In a certain product configuration, an attacker can gain sensitive information. CA published solutions to address the vulnerability.

The vulnerability, CVE-2018-14597, occurs due to how CA Identity Governance responds to login requests. An attacker may exploit the vulnerability to enumerate account names.

Risk Rating

Low

Platform(s)

All supported platforms

Affected Products

CA Identity Suite Virtual Appliance 14.0
CA Identity Suite Virtual Appliance 14.1
CA Identity Suite Virtual Appliance 14.2

CA Identity Governance 12.6
CA Identity Governance 14.0
CA Identity Governance 14.1
CA Identity Governance 14.2

How to determine if the installation is affected

Customers may verify the cumulative fix level of CA Identity Suite Virtual Appliance 14.1 and CA Identity Governance 14.1 as indicated in the Solution section.

For the remaining product releases, CA customers should apply the fixes from the Solution section and keep a log for future validation.

Solution

CA Technologies published the following solutions to address the vulnerability.

CA Identity Suite Virtual Appliance 14.0:
SS05684

CA Identity Suite Virtual Appliance 14.1:
Update to CP-IGV-140100-0002 or later

CA Identity Suite Virtual Appliance 14.2:
SS05686

CA Identity Governance 14.2:
SS05315

CA Identity Governance 14.1:
Update to CP-IG-140100-0003 or later

CA Identity Governance 14.0:
SS05312

CA Identity Governance 12.6:
SS05311

References

CVE-2018-14597 - Identity Governance username enumeration

Acknowledgement

CVE-2018-14597 - Jake Miller

Change History

Version 1.0: 2018-10-17 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.