October 17, 2018
CA Identity Governance customers, please review the following security notice.
For the latest version of this security notice, see
CA20181017-01: Security Notice for CA Identity Governance
CA20181017-01: Security Notice for CA Identity Governance
Issued: October 17, 2018
Last Updated: October 17, 2018
CA Technologies Support is alerting customers to a low risk issue with CA Identity Governance. In a certain product configuration, an attacker can gain sensitive information. CA published solutions to address the vulnerability.
The vulnerability, CVE-2018-14597, occurs due to how CA Identity Governance responds to login requests. An attacker may exploit the vulnerability to enumerate account names.
Risk Rating
Low
Platform(s)
All supported platforms
Affected Products
CA Identity Suite Virtual Appliance 14.0
CA Identity Suite Virtual Appliance 14.1
CA Identity Suite Virtual Appliance 14.2
CA Identity Governance 12.6
CA Identity Governance 14.0
CA Identity Governance 14.1
CA Identity Governance 14.2
How to determine if the installation is affected
Customers may verify the cumulative fix level of CA Identity Suite Virtual Appliance 14.1 and CA Identity Governance 14.1 as indicated in the Solution section.
For the remaining product releases, CA customers should apply the fixes from the Solution section and keep a log for future validation.
Solution
CA Technologies published the following solutions to address the vulnerability.
CA Identity Suite Virtual Appliance 14.0:
SS05684
CA Identity Suite Virtual Appliance 14.1:
Update to CP-IGV-140100-0002 or later
CA Identity Suite Virtual Appliance 14.2:
SS05686
CA Identity Governance 14.2:
SS05315
CA Identity Governance 14.1:
Update to CP-IG-140100-0003 or later
CA Identity Governance 14.0:
SS05312
CA Identity Governance 12.6:
SS05311
References
CVE-2018-14597 - Identity Governance username enumeration
Acknowledgement
CVE-2018-14597 - Jake Miller
Change History
Version 1.0: 2018-10-17 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.
Copyright (c) 2018 CA. All Rights Reserved. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.