Issued: October 17, 2018
Last Updated: October 17, 2018
CA Technologies Support is alerting customers to a low risk issue with CA Identity Governance. In a certain product configuration, an attacker can gain sensitive information. CA published solutions to address the vulnerability.
The vulnerability, CVE-2018-14597, occurs due to how CA Identity Governance responds to login requests. An attacker may exploit the vulnerability to enumerate account names.
All supported platforms
CA Identity Suite Virtual Appliance 14.0
CA Identity Suite Virtual Appliance 14.1
CA Identity Suite Virtual Appliance 14.2
CA Identity Governance 12.6
CA Identity Governance 14.0
CA Identity Governance 14.1
CA Identity Governance 14.2
How to determine if the installation is affected
Customers may verify the cumulative fix level of CA Identity Suite Virtual Appliance 14.1 and CA Identity Governance 14.1 as indicated in the Solution section.
For the remaining product releases, CA customers should apply the fixes from the Solution section and keep a log for future validation.
CA Technologies published the following solutions to address the vulnerability.
CA Identity Suite Virtual Appliance 14.0:
CA Identity Suite Virtual Appliance 14.1:
Update to CP-IGV-140100-0002 or later
CA Identity Suite Virtual Appliance 14.2:
CA Identity Governance 14.2:
CA Identity Governance 14.1:
Update to CP-IG-140100-0003 or later
CA Identity Governance 14.0:
CA Identity Governance 12.6:
CVE-2018-14597 - Identity Governance username enumeration
CVE-2018-14597 - Jake Miller
Version 1.0: 2018-10-17 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.