search cancel

Crossdomain.xml Policy Vulnerability detected

book

Article ID: 109689

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

Vulnerability against Cross Domain Policy - Code Scan detects a vulnerability on clarity on-premise servers regarding permissive crossdomain.xml policies and results in a high alert on Flash cross-domain policy. 


 

Cause

Security Scan 

Environment

Release: All Supported Clarity Supported Version 
Component: PPMSEC

Resolution

The document explains how clarity uses crossdomain.xml file a

This vulnerability was fixed in version 15.3. If  a customer is below version 15.3 customers need to update the crossdomain.xml, and put your domain name instead of * to deter potential malicious activity as vulnerability Scanners find all domains access as an intrusion risk.

Step A.
​You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, specify your domain:

<allow-http-request-headers-from domain="<domain_name>"  headers="*" secure="false" /> 
<allow-access-from domain="<domain_name>" secure="false" />

There are 4 crossdomain.xml files that need to be updated:

  • <CA PPM Install>\tomcat-nsa-deploy\ROOT\crossdomain.xml
  • <CA PPM Install>\tomcat-app-deploy\ROOT\crossdomain.xml
  • <CA PPM Install>\config\crossdomain.xml
  • <CA PPM Install>\.setup\templates\crossdomain.xml


     

Additional Information

Any other external data source integration done with Clarity  needs specification of the cross domain policies. Detailed information can be found here 

Also clarity has configuration on Cross site and documented here