Home[ERPSCAN-17-007] SAP Netweaver AS Java – XXE vulnerability in Visual Composer VC70RUNTIME
February 14, 2017

[ERPSCAN-17-007] SAP Netweaver AS Java – XXE vulnerability in Visual Composer VC70RUNTIME

,

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA 7.5
Vendor URL: SAP
Bugs: XXE
Reported: 17.06.2016
Vendor response: 18.06.2016
Date of Public Advisory: 14.02.2017
Reference: SAP Security Note 2386873
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: XXE
Impact: Denial of Service, Read File
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVE Name: CVE-2017-8913
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

A malicious user can modify an XML-based request to include XML content that is then parsed locally.

Business risk

An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to OS filesystem.

VULNERABLE PACKAGES

VCFLEX7.00
VCFRAMEWORK7.00
VC70RUNTIME7.30
VC70RUNTIME7.31
VC70RUNTIME7.40
VC70RUNTIME7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2386873.

TECHNICAL DESCRIPTION

Proof of Concept