SPS servers vulnerable to an XXE injection attack

Document ID:  TEC1887706
Last Modified Date:  07/06/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Single Sign-On


  • CA Single Sign-On:Release:12.52 SP1



During security audit tests we found that our SPS server could be vulnerable to an XXE injection attack due to a XML SOAP Vulnerability.

SPS R12.52 SP1 CR00

This has been fixed in R12.52 SP1 CR06, however you can solve this if affected in previous releases by applying the following steps:

1) On SPS go to /secure-proxy/Tomcat/webapps/affwebservices/WEB-INF folder.
2) Make a backup of web.xml file.
3) Stop SPS.
4) Edit web.xml and locate section (as shown below)
5) Remove or comment out the entire "router" servlet section.
6) Restart SPS.

    <display-name>Apache-SOAP RPC Router</display-name>
    <description>This is the main servlet that dispatches the SOAP requests to registered web services</description>

Additional Information:

Defects Fixed in 12.52 SP1 CR06

00424351 DE172435

CA Access Gateway is vulnerable to an XXE injection attack and able to retrieve confidential data and access sensitive files on the server, for example the "passwd" file.


Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile

  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.

    Rate Your Chat Experience.


agent is typing