Vulnerability report shows CVE-2017-7657: HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2)
Is Identity Manager exposed to this vulnerability?
Identity Manager is not exposed to this vulnerability.
Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.