Crossdomain.xml Policy Vulnerability Detected on CA PPM Servers

Document ID : KB000109689
Last Modified Date : 06/08/2018
Show Technical Document Details
Issue:
When testing for vulnerabilities your internal security scans may detect a vulnerability on CA PPM on-premise servers regarding permissive crossdomain.xml policies. A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html#header5
Resolution:
The crossdomain.xml file is used for our integration into the Business Objects Xcelsius Solution. Since the whole Business Objects integration has reached its EOS date: 
http://www.ca.com/us/support/ca-support-online/product-content/status/announcement-documents/2015/ca-business-intelligence-for-ca-ppm-end-of-life-follow-up-announcement.aspx?id=%7BAF259982-D190-4C0C-837B-086AA7F5CE32%7D 

The following is where we document how we use this file and for: 
https://docops.ca.com/ca-ppm/14-3/reporting/business-objects-reporting/business-objects-xcelsius-implementation/prepare-to-use-xcelsius 

You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, *.acme.com, www.acme.com. 

You can update the crossdomain.xml put your domain name instead of * to deter potential malicious activity.
<allow-access-from domain="*.customerdomain.com"/>