[ERPSCAN-15-004] SAP NetWeaver Portal XMLValidationComponent – XXE
Application: SAP NetWeaver Portal
Versions Affected: SAP NetWeaver Portal 7.31.201109172004
Vendor URL: http://www.sap.com
Bugs: XML External Entity
Vendor response: 07.11.2014
Date of Public Advisory: 15.02.2015
Reference: SAP Security Note 2093966
Authors: Vahagn Vardanyan (ERPScan)
Class: XML External Entity [CWE-611]
Impact: read file, upload file, DoS, information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2812
It is possible for attackers to send any packet to any port of any system including localhost.
It means that it is possible, for example, to send any administrative command to Gateway or Message Server because the source of the packet will be localhost, and there are no restrictions for localhost. Another example is an attack on other interfaces.
SAP XML parser validates all incoming XML requests with user specified DTD.
SAP NetWeaver Portal 7.31
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Notes 2098608 and 2093966.
SAP XML parser (parserXMLValidationComponent) validates all incoming XML requests with a user-specified DTD.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: