CVE-2022-33739
📋 TL;DR
CVE-2022-33739 is an XML External Entity (XXE) vulnerability in CA Clarity PPM that allows remote attackers to read arbitrary files on the server. This affects CA Clarity PPM versions 15.8 and below, and version 15.9.0. Attackers can potentially access sensitive system files through insecure XML parsing.
💻 Affected Systems
- CA Clarity PPM
📦 What is this software?
Ca Clarity by Broadcom
Ca Clarity by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, configuration files with credentials, or SSH keys, leading to lateral movement or full system takeover.
Likely Case
Unauthorized access to sensitive configuration files, application data, or system files containing credentials or business information.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and XML parser hardening.
🎯 Exploit Status
XXE vulnerabilities are well-understood and easily exploitable with standard XXE payloads. No public exploit code is known, but the vulnerability type is trivial to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.9.1 and later
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20645
Restart Required: Yes
Instructions:
1. Download CA Clarity PPM 15.9.1 or later from Broadcom support portal. 2. Apply the patch following Broadcom's installation instructions. 3. Restart the CA Clarity PPM application server.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure the XML parser to disable external entity resolution
Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true
Input validation and filtering
allImplement XML input validation to reject malicious XXE payloads
Implement XML schema validation or whitelist allowed XML elements
🧯 If You Can't Patch
- Implement network segmentation to restrict access to CA Clarity PPM servers
- Deploy a web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check CA Clarity PPM version via admin console or version file. If version is 15.8 or below, or exactly 15.9.0, the system is vulnerable.Check Version:
Check version in Admin Console or examine version.properties file in installation directoryVerify Fix Applied:
Verify version is 15.9.1 or later. Test XML parsing functionality with safe XXE test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts via XML parsing
- Large XML payloads with external entity references
Network Indicators:
- HTTP requests with XML content containing SYSTEM or PUBLIC DTD declarations
- Outbound connections to external URLs from XML parsing
SIEM Query:
source="ca_clarity_logs" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")