The Castor library is an Open Source data-binding framework for Java applications. One of its most useful functions is to provide for easy implementations of Java-to-XML binding. The library's unmarshalling class, however, is susceptible to XML External Entity (XXE) attacks. If the XML that is being passed to the unmarshalling function is controllable by an end user, there is the potential that they could retrieve local resources, download malicious code from other servers, and/or open arbitrary TCP connections.
This vulnerability is fixed in PAM 4.2SP2. To correct this vulnerability in any previous release follow the instructions below:
The fix for this issue is actually very simple. The main Castor configuration file (castor.properties) can be used to specify which XML features should be enable/disabled. In order to prevent the parser from reading external entities, the external-general-entities and the external-parameter-entities should be disable. Additionally, the disallow-doctype-decl option should be turned on.
In order to modify castor.properties file, perform following steps:
Release: ITPASA99000-4.1-Process Automation-Add On License for-CA Server Automation