It has been determined that CA Access Gateway 12.52 SP1 b499 is vulnerable to the XML External Entity(XXE) exploit. An attacker exploiting this vulnerability is able to retrieve confidential data and access sensitive files on the server, e.g. the "passwd" file.
SiteMinder's "affwebservices" part contains two SOAP services: router and session. You can send a SOAP request to the endpoints with an external entity reference inside the parameter, this will cause an exception when the service tries to parse the contents of a requested system file (/etc/passwd, for example) into a valid date/timestamp. Exception from service object: Unparseable date: is obtained followed by the data from /etc/passwd.
Issue is corrected in CA Access Gateway R12.51 CR10 Build#1612
As a workaround, the following workarounds are also suggested
- add & ampersand to BadCSSChars
- add string validation for the accessTimestamp to check for integers and/or proper date formatting