Correcting the XML External Entity(XXE) exploit in CA Access Gateway

Document ID : KB000007489
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

It has been determined that CA Access Gateway 12.52 SP1 b499 is vulnerable to the XML External Entity(XXE) exploit. An attacker exploiting this vulnerability is able to retrieve confidential data and access sensitive files on the server, e.g. the "passwd" file. 

SiteMinder's "affwebservices" part contains two SOAP services: router and session. You can send a SOAP request to the endpoints with an external entity reference inside the parameter, this will cause an exception when the service tries to parse the contents of a requested system file (/etc/passwd, for example) into a valid date/timestamp.  Exception from service object: Unparseable date: is obtained followed by the data from /etc/passwd. 

Environment:
PS 12.52 SP1 CR02 build 766 SPS 12.52 SP1 build 499
Resolution:

Issue is corrected in CA Access Gateway R12.51 CR10 Build#1612

As a workaround, the following workarounds are also suggested

  • add & ampersand to BadCSSChars 
  • add string validation for the accessTimestamp to check for integers and/or proper date formatting