Application: SAP NetWeaver AS JAVA **Versions Affected:**SAP NetWeaver AS JAVA 7.1 – 7.5 Vendor URL:SAP **Bugs:**Information disclosure **Reported:**15.09.2015 **Vendor response:**16.09.2015 **Date of Public Advisory:**09.02.2016 **Reference:**SAP Security Note 2256846 Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Information disclosure
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2388
CVSS Information
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) | Network (N) |
---|---|
AC : Access Complexity (Required attack complexity) | Low (L) |
Au : Authentication (Level of authentication needed to exploit) | None (N) |
C : Impact to Confidentiality | Low(N) |
I : Impact to Integrity | None(N) |
A : Impact to Availability | None (N) |
Description
Anonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.
Business risk
An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.4, 7.5
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2256846
TECHNICAL DESCRIPTION
An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn more about a system and to plan further attacks.
Steps to exploit this vulnerability
1. Open
http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#
1
|
http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#
—|—
page on SAP server
2. Press “Choose” button
3. In the opened window press “Search”
You will get a list of SAP users