Crossdomain.xml Policy Vulnerability Detected on CA PPM Servers
Article ID: 109689
Updated On:
Products
CLARITY PPM FOR ITG
CLARITY PPM FEDERAL
Clarity PPM SaaS - Application
Clarity PPM On Premise
Issue/Introduction
When testing for vulnerabilities your internal security scans may detect a vulnerability on CA PPM on-premise servers regarding permissive crossdomain.xml policies and results in a high alert on Flash cross-domain policy. A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html#header5
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html#header5
Environment
Release:
Component: PPMSEC
Component: PPMSEC
Resolution
The following is where we document how we use the CA PPM crossdomain.xml file and for:
https://docops.ca.com/ca-ppm/14-3/reporting/business-objects-reporting/business-objects-xcelsius-implementation/prepare-to-use-xcelsius
Please note this vulnerability was corrected in CA PPM 15.3. You can you can still use in PPM 14.3 and need to update the crossdomain.xml, put your domain name instead of * to deter potential malicious activity. Vulnerability Scanners find all domains access as an intrusion risk.
Step A.
You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, specify your domain:
<allow-http-request-headers-from domain="<domain_name>" headers="*" secure="false" />
<allow-access-from domain="<domain_name>" secure="false" />
There are technically 4 crossdomain.xml files that need to be updated:
<CA PPM Install>\tomcat-nsa-deploy\ROOT\crossdomain.xml
<CA PPM Install>\tomcat-app-deploy\ROOT\crossdomain.xml
<CA PPM Install>\config\crossdomain.xml
<CA PPM Install>\.setup\templates\crossdomain.xml
Step B.
Alternative to the security measure above, Step B should remove flag from the Vulnerability Scanner and only be implemented if the CA PPM/Business Objects Xcelsius Solution integration is no longer used by the organization.
Comment out the lines in all the crossdomain.xml policy files.
For example,
<cross-domain-policy>
<!--allow-access-from domain="<domain_name>" /><allow-access-from domain="<domain_name>" />-->
</cross-domain-policy>
If implement Step A (restrict policy to only allow domains required for the application to function, i.e., remove wildcard policies and inappropriate domains) and still the Vulnerability Scanner flags the crossdomain.xml policy, we do not have a workaround as CA PPM is working as designed. Please discuss with Security Team will need to make an exception in their security policy. The crossdomain.xml file is used for our integration into the Business Objects Xcelsius Solution. Since the whole Business Objects integration has reached its EOS date:
http://www.ca.com/us/support/ca-support-online/product-content/status/announcement-documents/2015/ca-business-intelligence-for-ca-ppm-end-of-life-follow-up-announcement.aspx?id=%7BAF259982-D190-4C0C-837B-086AA7F5CE32%7D
https://docops.ca.com/ca-ppm/14-3/reporting/business-objects-reporting/business-objects-xcelsius-implementation/prepare-to-use-xcelsius
Please note this vulnerability was corrected in CA PPM 15.3. You can you can still use in PPM 14.3 and need to update the crossdomain.xml, put your domain name instead of * to deter potential malicious activity. Vulnerability Scanners find all domains access as an intrusion risk.
Step A.
You can use the * (asterisk) character as a wildcard. domain=* allows access from any domain. The domain access can be restricted, which limits the access for outside domains. For example, specify your domain:
<allow-http-request-headers-from domain="<domain_name>" headers="*" secure="false" />
<allow-access-from domain="<domain_name>" secure="false" />
There are technically 4 crossdomain.xml files that need to be updated:
<CA PPM Install>\tomcat-nsa-deploy\ROOT\crossdomain.xml
<CA PPM Install>\tomcat-app-deploy\ROOT\crossdomain.xml
<CA PPM Install>\config\crossdomain.xml
<CA PPM Install>\.setup\templates\crossdomain.xml
Step B.
Alternative to the security measure above, Step B should remove flag from the Vulnerability Scanner and only be implemented if the CA PPM/Business Objects Xcelsius Solution integration is no longer used by the organization.
Comment out the lines in all the crossdomain.xml policy files.
For example,
<cross-domain-policy>
<!--allow-access-from domain="<domain_name>" /><allow-access-from domain="<domain_name>" />-->
</cross-domain-policy>
If implement Step A (restrict policy to only allow domains required for the application to function, i.e., remove wildcard policies and inappropriate domains) and still the Vulnerability Scanner flags the crossdomain.xml policy, we do not have a workaround as CA PPM is working as designed. Please discuss with Security Team will need to make an exception in their security policy. The crossdomain.xml file is used for our integration into the Business Objects Xcelsius Solution. Since the whole Business Objects integration has reached its EOS date:
http://www.ca.com/us/support/ca-support-online/product-content/status/announcement-documents/2015/ca-business-intelligence-for-ca-ppm-end-of-life-follow-up-announcement.aspx?id=%7BAF259982-D190-4C0C-837B-086AA7F5CE32%7D
Additional Information
Whenever Xcelsius or any other external datasource integration done with CA PPM needs specification of the crossdomain policies. You can find the exact specifications we use here:
http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
Feedback
Powered by
