Information regarding CA Identity Manager and vulnerability CVE-2017-5638

Document ID : KB000015988
Last Modified Date : 28/02/2019
Show Technical Document Details
Question:

Is CA Identity Manager impacted by vulnerability CVE-2017-5638?

Answer:


Identity Manager 12.0, 12.5, 12.6, 14.0 and 14.1 use and older Apache Struts version 1.2.9 which is not vulnerable to the CVE-2017-5638 exploit.


Identity Manager 14.2 has upgraded the Struts version to Apache Struts 2.5.14.1 which is also not vulnerable to the CVE-2017-5638 exploit.

You can find details on this in the documentation here:
https://docops.ca.com/ca-identity-manager/14-2/EN/release-information/release-notes-14-2:

    Upgraded to Apache Struts 2.5.14.1 to overcome security vulnerabilities.

    CA Identity Manager release 14.2 uses Apache Struts 2.5.14.1 for Management Console. With Apache Struts 2.5.14.1 support, the given changes are applicable:

        Management Console Access URL: The URL to access Management Console programmatically has changed. The syntax of the new URL is as follows:
        http://<HOST_NAME>:<PORT>/iam/immanage/env!listEnvs
        http://<HOST_NAME>:<PORT>/iam/immanage/env!editEnv?envoid=1