Full Report
Polarion ALM is vulnerable to XML External Entity (XXE) injection attack that could allow an attacker to potentially disclose confidential data. Siemens has released an update for Polarion ALM and recommends to update to the latest version.
Analysis Summary
# Vulnerability: XML External Entity (XXE) Injection in Polarion ALM
## CVE Details
- **CVE ID:** CVE-2023-28828
- **CVSS Score:** 5.9 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
- **CWE:** CWE-611: Improper Restriction of XML External Entity Reference
## Affected Systems
- **Products:** Polarion ALM
- **Versions:** All versions prior to V22 R2 P3
- **Configurations:** Systems utilizing default XML parsing configurations that allow DTD (Document Type Definition) processing or external entity references.
## Vulnerability Description
Polarion ALM is vulnerable to an XML External Entity (XXE) injection flaw. The application fails to properly restrict or disable the resolution of external entities within XML documents uploaded to or processed by the server. This allows an attacker to include a malicious URI in an XML payload, which the server’s XML parser then attempts to resolve.
## Exploitation
- **Status:** PoC available (Existent/Proven), but not currently reported as exploited in the wild.
- **Complexity:** High (Requires specific knowledge of the application's XML processing entry points).
- **Attack Vector:** Network (Remotely exploitable).
## Impact
- **Confidentiality:** High (Successful exploitation allows an attacker to read sensitive files from the application server's filesystem).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
Siemens recommends updating to the following version or any subsequent release:
- **Polarion ALM:** Update to V22 R2 P3 or later.
### Workarounds
The advisory provides a technical workaround by manually hardening the XML parser configuration within the application environment. Implement the following feature flags in the XML parser pool:
- Set `disallow-doctype-decl` to **TRUE**.
- Set `external-general-entities` to **FALSE**.
- Set `external-parameter-entities` to **FALSE**.
- Set `secure-processing` to **TRUE**.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound internal network requests originating from the Polarion ALM server, or spikes in access logs related to XML processing endpoints.
- **Detection methods and tools:**
- Use Web Application Firewalls (WAF) to detect `<!ENTITY` or `SYSTEM` tags in XML payloads.
- Security scanning tools (SAST/DAST) can be used to identify unpatched versions or vulnerable XML parsing logic.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-632164[.]pdf
- **Siemens Industrial Security:** hxxps[://]www[.]siemens[.]com/industrialsecurity
- **CWE-611 Detail:** hxxps[://]cwe[.]mitre[.]org/data/definitions/611[.]html