ICSA-23-103-12
·
Published 2025-05-06
·
View on CISA ICS-CERT ↗
Siemens Polarion ALM
CVSS 5.9
MEDIUM
CVEs (1)
Remediations
- Set the below configurations to mitigate against external entity injection in OpenSAML 4.x parser configuration. This will be included by default on Polarion V2304 and later versions. parserPool.setMaxPoolSize(100); parserPool.setCoalescing(true); parserPool.setIgnoreComments(true); parserPool.setIgnoreElementContentWhitespace(true); parserPool.setNamespaceAware(true); parserPool.setExpandEntityReferences(false); parserPool.setXincludeAware(false); final Map<String, Boolean> features = new HashMap<String, Boolean>(); features.put(http://xml.org/sax/features/external-general-entities, Boolean.FALSE); features.put(http://xml.org/sax/features/external-parameter-entities, Boolean.FALSE); features.put(http://apache.org/xml/features/disallow-doctype-decl, Boolean.TRUE); features.put(http://apache.org/xml/features/validation/schema/normalized-value, Boolean.FALSE); features.put(http://javax.xml.XMLConstants/feature/secure-processing, Boolean.TRUE); parserPool.setBuilderFeatures(features);
- Update to V22R2 or later version
Affected Vendors
Siemens
Affected Products (1)
Siemens
·
Polarion ALM
<V22R2
Affected Sectors
Multiple
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more