It has been determined that CA Access Gateway 12.52 SP1 b499 is vulnerable to the XML External Entity(XXE) exploit. An attacker exploiting this vulnerability is able to retrieve confidential data and access sensitive files on the server, e.g. the "passwd" file.
SiteMinder's "affwebservices" part contains two SOAP services: router and session. You can send a SOAP request to the endpoints with an external entity reference inside the parameter, this will cause an exception when the service tries to parse the contents of a requested system file (/etc/passwd, for example) into a valid date/timestamp. Exception from service object: Unparseable date: is obtained followed by the data from /etc/passwd.
PS 12.52 SP1 CR02 build 766 SPS 12.52 SP1 build 499
Issue is corrected in CA Access Gateway R12.51 CR10 Build#1612
As a workaround, the following workarounds are also suggested