Headline
CVE-2022-25626: Support Content Notification - Support Portal - Broadcom support portal
An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.
Multiple Vulnerabilities in Symantec Identity Manager 14.4
Product/Component
CA Identity Governance
3 more products
List of Products
4 Products
- CA Identity Governance
- CA Identity Manager
- CA Identity Portal
- CA Identity Suite
Notification Id
21136
Last Updated
16 December 2022
Initial Publication Date
16 December 2022
Status
CLOSED
Severity
HIGH
CVSS Base Score
8.6
Summary
Symantec has released an update to address below issues that were discovered in Symantec Identity Manager 14.4:
- Authentication Bypass of Management Console in Symantec Identity Manager 14.4
- Remote Command Execution (RCE) on Management Console in Symantec Identity Manager 14.4
- XML eXternal Entity injection (XXE) on Management Console in Symantec Identity Manager 14.4
Affected Product(s)
Identity Governance And Administration-Identity Manager
CVE
Supported Version(s)
Remediation
CVE-2022-25626
CVE-2022-25627
CVE-2022-25628
14.3
14.4
- Customers who are on 14.3 CP3 or 14.4 CP1 can apply the hotfix (link in the ‘References’ section)
- 14.4 CP2 already contains the remediation for this vulnerability
Issue Details
CVE-2022-25626
Severity / CVSS v3.0:
High/8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
References:
NVD: CVE-2022-25626
Impact:
Authentication Bypass
Description:
An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.
CVE-2022-25627
Severity / CVSS v3.0:
High/7.2 (AV:H/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L)
References:
NVD: CVE-2022-25627
Impact:
Remote Command Execution (RCE)
Description:
An authenticated administrator who has physical access to the environment can carry out Remote Command Execution on Management Console in Symantec Identity Manager 14.4
CVE-2022-25628
Severity / CVSS v3.0:
Low/3.1(AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)
References:
NVD: CVE-2022-25628
Impact:
XML eXternal Entity injection (XXE)
Description:
An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4
Acknowledgements
- CVE-2022-25626: Hugo Boutinon & Undr of AXA Group Security
- CVE-2022-25627: Hugo Boutinon & Undr of AXA Group Security
- CVE-2022-25628: Hugo Boutinon & Undr of AXA Group Security
References
IGA 14.4:
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
IGA 14.3:
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
Revisions
2022-12-16 Initial public release