[ERPSCAN-17-003] SAP NetWeaver AS Java getUserUddiElements SQL Injection

Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver AS Java ES UDDI 7.11 – 7.5
Vendor URL: SAP
Bugs: SQL injection
Reported: 17.06.2016
Vendor response: 17.06.2016
Date of Public Advisory: 10.01.2017
Reference: SAP Security Note 2356504
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: SQL injection
Impact: read sensitive data, modify or delete data from database
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 4.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to Availability Low (L)

Description

The problem is caused by an SQL injection vulnerability. The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.

Business risk

An attacker can use an SQL injection vulnerability with specially crafted SQL queries. He or she can read and modify sensitive information from the database, execute administration operations on the database, destroy data or make it unavailable. In addition, in some cases, an attacker can access the system data or execute OS commands.

VULNERABLE PACKAGES

ES UDDI 7.11
ES UDDI 7.20
ES UDDI 7.30
ES UDDI 7.31
ES UDDI 7.40
ES UDDI 7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2356504 .

TECHNICAL DESCRIPTION

The vulnerable package name is com.sap.uddi.helpers.database.util and class name UDDIDbUtil