Crossdomain.xml Policy Vulnerability Detected on CA PPM Servers

Article Id: 109689
Status: Published
Updated On: 22-10-2018 13:27
Products:
CLARITY PPM FOR ITG , Clarity PPM On Premise , CLARITY PPM FEDERAL , Clarity PPM SaaS , Clarity PPM SaaS - Application , Clarity PPM SaaS - Application , Clarity PPM On Premise
Issue/Introduction:

When testing for vulnerabilities your internal security scans may detect a vulnerability on CA PPM on-premise servers regarding permissive crossdomain.xml policies and results in a high alert on Flash cross-domain policy. A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html#header5
 

Environment:

Release:
Component: PPMSEC

Resolution:

The following is where we document how we use the CA PPM crossdomain.xml file and for: 
https://docops.ca.com/ca-ppm/14-3/reporting/business-objects-reporting/business-objects-xcelsius-implementation/prepare-to-use-xcelsius 

Please note this vulnerability was corrected in CA PPM 15.3. You can you can still use in PPM 14.3 and need to update the crossdomain.xml, put your domain name instead of * to deter potential malicious activity. Vulnerability Scanners find all domains access as an intrusion risk.

Step A.
​You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, specify your domain:
<allow-http-request-headers-from domain="<domain_name>"  headers="*" secure="false" /> 
<allow-access-from domain="<domain_name>" secure="false" />

There are technically 4 crossdomain.xml files that need to be updated:
<CA PPM Install>\tomcat-nsa-deploy\ROOT\crossdomain.xml
<CA PPM Install>\tomcat-app-deploy\ROOT\crossdomain.xml
<CA PPM Install>\config\crossdomain.xml
<CA PPM Install>\.setup\templates\crossdomain.xml

Step B.
Alternative to the security measure above, Step B should remove flag from the Vulnerability Scanner and only be implemented if the CA PPM/Business Objects Xcelsius Solution integration is no longer used by the organization.
Comment out the lines in all the crossdomain.xml policy files.
For example,
<cross-domain-policy>
<!--allow-access-from domain="<domain_name>" /><allow-access-from domain="<domain_name>" />-->
</cross-domain-policy>

If implement Step A (restrict policy to only allow domains required for the application to function, i.e., remove wildcard policies and inappropriate domains) and still the Vulnerability Scanner flags the crossdomain.xml policy, we do not have a workaround as CA PPM is working as designed. Please discuss with Security Team will need to make an exception in their security policy. The crossdomain.xml file is used for our integration into the Business Objects Xcelsius Solution. Since the whole Business Objects integration has reached its EOS date: 
http://www.ca.com/us/support/ca-support-online/product-content/status/announcement-documents/2015/ca-business-intelligence-for-ca-ppm-end-of-life-follow-up-announcement.aspx?id=%7BAF259982-D190-4C0C-837B-086AA7F5CE32%7D 
 

Additional Information:

Whenever Xcelsius or any other external datasource integration done with CA PPM needs specification of the crossdomain policies. You can find the exact specifications we use here: 
http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf