Siemens Polarion ALM

Monitor5.4ICS-CERT ICSA-22-349-08Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Polarion ALM contains a misconfiguration in its default Apache HTTP Server configuration that allows host header injection attacks. The default redirect rule "RedirectMatch permanent ^/$ /polarion/" does not properly validate the HTTP Host header, allowing an attacker to redirect users to arbitrary URLs via a crafted request. This enables phishing attacks and credential theft by redirecting legitimate Polarion users to attacker-controlled websites.

What this means

What could happen

An attacker could redirect users to a malicious website by manipulating the Host header in HTTP requests, potentially capturing credentials or injecting malicious content through the Polarion ALM interface.

Who's at risk

Organizations operating Polarion ALM (application lifecycle management) for software development and engineering teams should treat this as a credential theft and phishing risk. It primarily affects engineering teams and development staff who use Polarion for project management and configuration control.

How it could be exploited

An attacker crafts an HTTP request with a malicious Host header and sends it to the Polarion ALM server. The misconfigured Apache redirect rule accepts the Host header value without validation and redirects the user to an attacker-controlled URL instead of the legitimate Polarion host, enabling credential theft or further attacks.

Prerequisites

Network access to port 80/443 on the Polarion ALM server
Ability to send HTTP requests with a crafted Host header
User interaction required to click the redirected link or be automatically redirected

Remotely exploitableNo authentication requiredUser interaction requiredAffects user credentials and data integrity

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

Polarion ALM<V2304.02304.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDModify the Apache HTTP Server configuration file (polarion.conf or polarion-cluster.conf) to change 'RedirectMatch permanent ^/$ /polarion/' to 'RedirectMatch permanent "^/$" https://<their-polarion-host-here>/polarion/' to hardcode the correct host instead of accepting the Host header

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Polarion ALM to version 2304.0 or later

Long-term hardening

0/1

HARDENINGRestrict network access to Polarion ALM using firewall rules to allow only trusted internal networks and VPN connections

CVEs (1)

CVE-2022-46265

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f10a872a-439c-4a19-be58-37c1a8abea7f