WSDL attacks are another type of SQL injection attack. They are commonly used to retrieve sensitive data.

 An attacker can use the information obtained from the WSDL file to attack the application being used by others.

CA Service Desk Manager 17.3 and 17.4

AXIS based Web Services

AXIS 1.4 JAR files are 3rd party JAR files that we use to expose CA SDM AXIS webservices.

Unfortunately, there is no official patch from the AXIS vendor for this vulnerability since AXIS 1.x is End of Life and not being maintained any longer.

The only solution is to move to Apache CXF based webservices that was recently introduced within CA SDM.

The URL for the CXF-based service is: http(s)://<hostname>:<portnumber>/cxf/services

The URL for the WSDL document is: http(s)://<hostname>:<portnumber>/cxf/services/USD_WebService?wsdl

For more information on the CXF usage, refer to the following documentation:

Web Services Management

Tips for SOAP Web Services Clients

Contents of the Samples Directory

If you are using CA SDM AXIS web services, then you will need to move your web services applications to CXF based web services.

Once you have moved all of the web services applications to CXF based web services and tested thoroughly, you can disable AXIS web services.

WSDL Improper Error Handling Vulnerability