CA Identity Governance Username Enumeration

2018.10.20
Credit: Kevin Kotas
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20181017-01: Security Notice for CA Identity Governance Issued: October 17, 2018 Last Updated: October 17, 2018 CA Technologies Support is alerting customers to a low risk issue with CA Identity Governance. In a certain product configuration, an attacker can gain sensitive information. CA published solutions to address the vulnerability. The vulnerability, CVE-2018-14597, occurs due to how CA Identity Governance responds to login requests. An attacker may exploit the vulnerability to enumerate account names. Risk Rating Low Platform(s) All supported platforms Affected Products CA Identity Suite Virtual Appliance 14.0 CA Identity Suite Virtual Appliance 14.1 CA Identity Suite Virtual Appliance 14.2 CA Identity Governance 12.6 CA Identity Governance 14.0 CA Identity Governance 14.1 CA Identity Governance 14.2 How to determine if the installation is affected Customers may verify the cumulative fix level of CA Identity Suite Virtual Appliance 14.1 and CA Identity Governance 14.1 as indicated in the Solution section. For the remaining product releases, CA customers should apply the fixes from the Solution section and keep a log for future validation. Solution CA Technologies published the following solutions to address the vulnerability. CA Identity Suite Virtual Appliance 14.0: SS05684 CA Identity Suite Virtual Appliance 14.1: Update to CP-IGV-140100-0002 or later CA Identity Suite Virtual Appliance 14.2: SS05686 CA Identity Governance 14.2: SS05315 CA Identity Governance 14.1: Update to CP-IG-140100-0003 or later CA Identity Governance 14.0: SS05312 CA Identity Governance 12.6: SS05311 References CVE-2018-14597 - Identity Governance username enumeration Acknowledgement CVE-2018-14597 - Jake Miller Change History Version 1.0: 2018-10-17 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBW8d217lJjor7ahBNAQiGlBAAh+OKV+Nxd8gsQrybebvfSZMdCnm3u3Nr /leDwdZTZnpIBjoXZ2XqVxuBCGEPSxDhZgiev+JtykRw1VM+G6gk5U7MRrYQuflG QkznAT/XF2PS48ckmtTI6AAz2FdIjcO0PWtmM+0iIj3dpF9oyjC5swDShRvsX2Ws 7tJyFQUnvLbtzaiFgRZ6I6kVj30as+FSrYzX1aseIVq9t6SvVXdn1nTuIczbTF80 B3xCoMybFzS+XWQXd2huD3vgAafO+W+IuOXitLAsy5p0uT/JGNsx+Ek3LB20f9XC NofD08FdmVfiCs8uBftR070J9fsvTKjv2orNWHP34kKbJQfeCipzfQRXZImgA0of 45aj3bpxxDRq1AZsxCvVF9i8UheJrgjscbEz31KVxlEBBAumm9g5EZEapTW8TqX3 Myhbh4PSncRcqqi1PpVbmHjkFDaB3EL0eaJSeWbV4tOBej3lxvYytCoHWkpoe9+v C7Wn6Wf/hk5AuMDLL4s8RZHYRT1geEGiMV32RUgcuMSeGzgUDrQaDE/bcJNuMxu7 i77OFmy8u338/ggHLn51LcoMkPl8sDrHk44WvYLCfPwJcWhlyA0KdTmADMhOlk8I zFH1Ti/HNz1g+u1tIo50vkKUard8bcb3Etvj/SXD3y2g7pAWFays00yhSOGCLpjb 7c8gLqzXdy0= =lgVP -----END PGP SIGNATURE-----


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top