Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: http://www.sap.com
Bugs: cryptographic issues
Vendor response: 02.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2191290
Author: Vahagn Vardanyan (ERPScan)
Class: Cryptographic issues [CWE-326]
Impact: information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score: 3.5 / 10
CVSS Base Vector:
|AV : Access Vector (Related exploit range)||Network (N)|
|AC: Access Complexity (Required attack complexity)||Medium (M)|
|>Au : Authentication (Level of authentication needed to exploit)||Single (S)|
|C : Impact to Confidentiality||Partial (P)|
|I : Impact to Integrity||None (N)|
|A : Impact to Availability||None (N)|
An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help to learn more about the system and to plan other attacks.
An attacker may be able to decrypt data without brute force attacks.
SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2191290
An attacker can discover information relating to AS Java by using UME. This information may allow the attacker to specialize their attacks against AS Java.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: