Symantec IGA

Proactive Security Notice for CA Identity Governance customers

  • 1.  Proactive Security Notice for CA Identity Governance customers

    Posted 10-17-2018 10:58 AM

    October 17, 2018

     

    CA Identity Governance customers, please review the following security notice.

     

    For the latest version of this security notice, see

     

    CA20181017-01: Security Notice for CA Identity Governance

     

    CA20181017-01: Security Notice for CA Identity Governance

     

    Issued: October 17, 2018

    Last Updated: October 17, 2018

     

    CA Technologies Support is alerting customers to a low risk issue with CA Identity Governance. In a certain product configuration, an attacker can gain sensitive information. CA published solutions to address the vulnerability.

     

    The vulnerability, CVE-2018-14597, occurs due to how CA Identity Governance responds to login requests. An attacker may exploit the vulnerability to enumerate account names.

     

    Risk Rating

     

    Low

     

    Platform(s)

     

    All supported platforms

     

    Affected Products

     

    CA Identity Suite Virtual Appliance 14.0

    CA Identity Suite Virtual Appliance 14.1

    CA Identity Suite Virtual Appliance 14.2

     

    CA Identity Governance 12.6

    CA Identity Governance 14.0

    CA Identity Governance 14.1

    CA Identity Governance 14.2

     

    How to determine if the installation is affected

     

    Customers may verify the cumulative fix level of CA Identity Suite Virtual Appliance 14.1 and CA Identity Governance 14.1 as indicated in the Solution section.

     

    For the remaining product releases, CA customers should apply the fixes from the Solution section and keep a log for future validation.

     

    Solution

     

    CA Technologies published the following solutions to address the vulnerability.

    CA Identity Suite Virtual Appliance 14.0:

    SS05684

     

    CA Identity Suite Virtual Appliance 14.1:

    Update to CP-IGV-140100-0002 or later

     

    CA Identity Suite Virtual Appliance 14.2:

    SS05686

     

    CA Identity Governance 14.2:

    SS05315

     

    CA Identity Governance 14.1:

    Update to CP-IG-140100-0003 or later

     

    CA Identity Governance 14.0:

    SS05312

     

    CA Identity Governance 12.6:

    SS05311

     

    References

     

    CVE-2018-14597 - Identity Governance username enumeration

     

    Acknowledgement

     

    CVE-2018-14597 - Jake Miller

     

    Change History

     

    Version 1.0: 2018-10-17 - Initial Release

     

    CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

     

    Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.

     

    To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

     

    Copyright (c) 2018 CA. All Rights Reserved. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.