Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-16-003] SAP NetWeaver 7.4 – cryptographic issues

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: http://www.sap.com
Bugs: cryptographic issues
Reported: 01.09.2015
Vendor response: 02.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2191290
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION
Class: Cryptographic issues [CWE-326]
Impact: information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 3.5 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) Medium (M)
>Au : Authentication (Level of authentication needed to exploit) Single (S)
C : Impact to Confidentiality Partial (P)
I : Impact to Integrity None (N)
A : Impact to Availability None (N)

Business risk
An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help to learn more about the system and to plan other attacks.

Description
An attacker may be able to decrypt data without brute force attacks.

VULNERABLE PACKAGES
SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2191290

TECHNICAL DESCRIPTION
An attacker can discover information relating to AS Java by using UME. This information may allow the attacker to specialize their attacks against AS Java.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: