Siemens Polarion ALM

Monitor5.9ICS-CERT ICSA-23-103-12Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Siemens Polarion ALM versions prior to 22R2 contain an XML External Entity (XXE) injection vulnerability in the OpenSAML 4.x parser. An attacker can craft a malicious XML document to cause the parser to read and disclose sensitive files and configuration data from the server. CWE-611 (Improper Restriction of XML External Entity Reference).

What this means

What could happen

An attacker could exploit an XXE injection vulnerability to read sensitive files and configuration data from the Polarion ALM server, such as credentials or internal system information that could be used for further attacks.

Who's at risk

Siemens Polarion ALM users who rely on this application lifecycle management platform for project tracking and configuration management. Typically used by engineering teams and manufacturing organizations to manage documents and artifacts. This affects organizations that have deployed Polarion ALM versions prior to 22R2.

How it could be exploited

An attacker sends a malicious XML document containing external entity references to Polarion ALM's XML parser. The parser processes the external entities and returns the contents of sensitive files (such as /etc/passwd or configuration files) back to the attacker in the application response.

Prerequisites

Network access to the Polarion ALM web interface
Knowledge of or ability to discover the XML input endpoints in Polarion ALM
The Siemens OpenSAML 4.x parser must not have XXE protections configured

remotely exploitableno authentication requiredhigh attack complexitydata disclosure risk

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Polarion ALM<V22R222R2

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDApply OpenSAML 4.x parser configuration changes from Siemens SSA-632164 to disable external entity processing

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Polarion ALM to version 22R2 or later (recommended: V2304.0 or later)

Long-term hardening

0/1

HARDENINGRestrict network access to Polarion ALM web interface using firewall rules or IP allowlists

CVEs (1)

CVE-2023-28828

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6e49a28f-ff7e-4cf5-8739-85cc23e61635