{"id": "SECURITYVULNS:VULN:14343", "bulletinFamily": "software", "title": "SAP Business Objects multiple security vulnerabilities", "description": "Unauthorized access to multiple components.", "published": "2015-03-21T00:00:00", "modified": "2015-03-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14343", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31839", "https://vulners.com/securityvulns/securityvulns:doc:31841", "https://vulners.com/securityvulns/securityvulns:doc:31842", "https://vulners.com/securityvulns/securityvulns:doc:31840"], "cvelist": ["CVE-2015-2075", "CVE-2015-2073", "CVE-2015-2074", "CVE-2015-2076"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:59", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "a0a99a49f908374f2042d92d1e74e8bf"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "86bea2fa805e39262c30b99f3552a3a4"}, {"key": "cvss", "hash": "26769fd423968d45be7383413e2552f1"}, {"key": "description", "hash": "0ffc8f218762c72029335c62b30c175c"}, {"key": "href", "hash": "c93440a04edadc935d01867b495cb6df"}, {"key": "modified", "hash": "a34abbc8939e10fdb2c168fd4e1e23fb"}, {"key": "published", "hash": "a34abbc8939e10fdb2c168fd4e1e23fb"}, {"key": "references", "hash": "1b618b36b150c4ac365a1c08ca240841"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "e0954bf7a7c958d126942e5b46eb5f9c"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "687d7edc0c1a9e1a3227a46461cadf275b6c322f21427f6d83df9f2e7de41880", "viewCount": 5, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-08-31T11:09:59"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-2075", "CVE-2015-2076", "CVE-2015-2073", "CVE-2015-2074"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31841", "SECURITYVULNS:DOC:31839", "SECURITYVULNS:DOC:31842", "SECURITYVULNS:DOC:31840"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130520", "PACKETSTORM:130521"]}], "modified": "2018-08-31T11:09:59"}, "vulnersScore": 6.7}, "objectVersion": "1.3", "affectedSoftware": [{"name": "BussinessObjects Edge", "operator": "eq", "version": "4.0"}]}

{"cve": [{"lastseen": "2019-05-29T18:14:40", "bulletinFamily": "NVD", "description": "SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.", "modified": "2018-10-09T19:56:00", "id": "CVE-2015-2075", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2075", "published": "2015-02-27T15:59:00", "title": "CVE-2015-2075", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:14:40", "bulletinFamily": "NVD", "description": "The Auditing service in SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information by reading an audit event, aka SAP Note 2011395.", "modified": "2018-10-09T19:56:00", "id": "CVE-2015-2076", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2076", "published": "2015-02-27T15:59:00", "title": "CVE-2015-2076", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2016-04-15T19:11:28", "bulletinFamily": "NVD", "description": "SAP BusinessObjects could allow a remote attacker to gain unauthorized access to the system, caused by an error in the BusinessObjects File Repository Server (FRS) CORBA listener. An attacker could exploit this vulnerability using CORBA to obtain sensitive business data stored on the remote system.", "modified": "2015-02-25T00:00:00", "published": "2015-02-25T00:00:00", "id": "CVE-2015-2073", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2073", "title": "CVE-2015-2073: SAP BusinessObjects unauthorized access", "type": "cve", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-04-15T19:11:29", "bulletinFamily": "NVD", "description": "SAP BusinessObjects could allow a remote attacker to bypass security restrictions, caused by an error in the File Repositoy Server (FRS) CORBA listener. An attacker could exploit this vulnerability to overwrite sensitive business data stored on the remote system.", "modified": "2015-02-25T00:00:00", "published": "2015-02-25T00:00:00", "id": "CVE-2015-2074", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2074", "title": "CVE-2015-2074: SAP BusinessObjects CORBA security bypass", "type": "cve", "cvss": {"score": 4.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nOnapsis Security Advisory ONAPSIS-2015-004: SAP Business Objects\r\nUnauthorized Audit Information Delete via CORBA\r\n\r\n\r\n1. Impact on Business\r\n=====================\r\n\r\nBy exploiting this vulnerability a remote unauthenticated attacker would be\r\nable to delete auditing information of the remote system.\r\n\r\nThis way, the attacker could perform malicious activities without being\r\ndetected.\r\n\r\nRisk Level: High\r\n\r\n\r\n2. Advisory Information\r\n=======================\r\n\r\n- - Public Release Date: 2015-02-25\r\n\r\n- - Subscriber Notification Date: 2015-02-25\r\n\r\n- - Last Revised: 2015-02-25\r\n\r\n- - Security Advisory ID: ONAPSIS-2015-004\r\n\r\n- - Onapsis SVS ID: ONAPSIS-00112\r\n\r\n- - CVE: CVE-2015-2075\r\n\r\n- - Researcher: Will Vandevanter\r\n\r\n- - Initial Base CVSS v2: 6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P)\r\n\r\n\r\n3. Vulnerability Information\r\n============================\r\n\r\n- - Vendor: SAP\r\n\r\n- - Affected Components:\r\n - BussinessObjects Edge 4.0\r\n (Check SAP Note 2011396 for detailed information on affected releases)\r\n\r\n- - Vulnerability Class: Improper Authorization (CWE-285)\r\n\r\n- - Remotely Exploitable: Yes\r\n\r\n- - Locally Exploitable: No\r\n\r\n- - Authentication Required: No\r\n\r\n- - Original Advisory:\r\nhttp://www.onapsis.com/esearch/security-advisories/sap-business-objects-unauthorized-audit-information-delete-via-corba\r\n\r\n\r\n4. Affected Components Description\r\n==================================\r\n\r\nBusiness Objects is part of the Business Intelligence platform from SAP.\r\nIt has components that provide performance management, planning,\r\nreporting, query and analysis and enterprise information management.\r\n\r\nEvery Business Objects installation provides a web service to interact\r\nwith different platform services.\r\n\r\n\r\n5. Vulnerability Details\r\n========================\r\n\r\nIt is possible for an unauthenticated user to remove audit events from a\r\nremote BusinessObjects service using CORBA. Specifically, the attacker\r\ncan tell the remote service (i.e. the auditee) to clear an event from\r\nit's queue. After the event is removed from the auditee queue, the\r\nauditor will never have knowledge of the event and, hence, it will not\r\nbe written to the Audit database. An attacker can use this to hide their\r\nactions. By default, the auditor polls all auditees every 5 minutes to\r\nask for events in their queue.\r\n\r\nNote, this vulnerability does not allow an attacker to remove events\r\nalready written to the database. It only allows events waiting in the\r\nauditee queue to be removed. The clearData CORBA operation is used to\r\nremove the event; authentication is not required.\r\n\r\n\r\n6. Solution\r\n===========\r\n\r\nSAP has released SAP Note 2011396 which provides patched versions of the\r\naffected components.\r\n\r\nThe patches can be downloaded from\r\nhttps://service.sap.com/sap/support/notes/2011396\r\n\r\nOnapsis strongly recommends SAP customers to download the related\r\nsecurity fixes and apply them to the affected components in order to\r\nreduce business risks.\r\n\r\n\r\n7. Report Timeline\r\n==================\r\n\r\n2014-01-16: Onapsis provides vulnerability information to SAP AG.\r\n2014-02-17: SAP confirms having the information of vulnerability.\r\n2014-10-14: SAP releases security patches.\r\n2015-02-25: Onapsis releases security advisory.\r\n\r\n\r\nAbout Onapsis Research Labs\r\n===========================\r\n\r\nOnapsis Research Labs provides the industry analysis of key security\r\nissues that impact business-critical systems and applications.\r\nDelivering frequent and timely security and compliance advisories with\r\nassociated risk levels, Onapsis Research Labs combine in-depth knowledge\r\nand experience to deliver technical and business-context with sound\r\nsecurity judgment to the broader information security community.\r\n\r\n\r\nAbout Onapsis, Inc.\r\n===================\r\n\r\nOnapsis gives organizations the adaptive advantage to succeed in\r\nsecuring business-critical applications by combining technology,\r\nresearch and analytics. Onapsis enables every security and compliance\r\nteam an adaptive approach to focus on the factors that matter most to\r\ntheir business?-critical applications that house vital data and run\r\nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile\r\ndeployments.\r\n\r\nOnapsis provides technology solutions including Onapsis X1, the de-facto\r\nSAP security auditing tool, and Onapsis Security Platform which delivers\r\nenterprise vulnerability, compliance, detection and response\r\ncapabilities with analytics.\r\n\r\nThe Onapsis Research Labs provide subject matter expertise that combines\r\nin-depth knowledge and experience to deliver technical and\r\nbusiness-context with sound security judgment. This enables\r\norganizations to efficiently uncover security and compliance gaps and\r\nprioritize the resolution within applications running on SAP platforms.\r\n\r\nOnapsis delivers tangible business results including decreased business\r\nrisk, highlighted compliance gaps, lower operational security costs and\r\ndemonstrable value on investment.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\nComment: Onapsis Research Team\r\n\r\niEYEARECAAYFAlTt3yEACgkQz3i6WNVBcDVbuACfXRTcTc+4MiUKl60VHRJaN1UR\r\n88AAoNbTMG4RaqtFA0eXT7HGdTL4anuM\r\n=VndN\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:DOC:31841", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31841", "title": "[Onapsis Security Advisory 2015-004] SAP Business Objects Unauthorized Audit Information Delete via CORBA", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nOnapsis Security Advisory ONAPSIS-2015-002: SAP Business Objects\r\nUnauthorized File Repository Server Read via CORBA\r\n\r\n\r\n1. Impact on Business\r\n=====================\r\n\r\nBy exploiting this vulnerability a remote unauthenticated attacker would be\r\nable to retrieve sensitive business data stored on the remote system.\r\n\r\nRisk Level: High\r\n\r\n\r\n2. Advisory Information\r\n=======================\r\n\r\n- - Public Release Date: 2015-02-25\r\n\r\n- - Subscriber Notification Date: 2015-02-25\r\n\r\n- - Last Revised: 2015-02-25\r\n\r\n- - Security Advisory ID: ONAPSIS-2015-002\r\n\r\n- - Onapsis SVS ID: ONAPSIS-00111\r\n\r\n- - CVE: CVE-2015-2073\r\n\r\n- - Researcher: Will Vandevanter\r\n\r\n- - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)\r\n\r\n\r\n3. Vulnerability Information\r\n============================\r\n\r\n- - Vendor: SAP\r\n\r\n- - Affected Components:\r\n - BussinessObjects Edge 4.0\r\n (Check SAP Note 2018682 for detailed information on affected releases)\r\n\r\n- - Vulnerability Class: External Control of File Name or Path (CWE-73)\r\n\r\n- - Remotely Exploitable: Yes\r\n\r\n- - Locally Exploitable: No\r\n\r\n- - Authentication Required: No\r\n\r\n- - Original Advisory:\r\nhttp://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-read-via-corba\r\n\r\n4. Affected Components Description\r\n==================================\r\n\r\nBusiness Objects is part of the Business Intelligence platform from SAP.\r\nIt has components that provide performance management, planning,\r\nreporting, query and analysis and enterprise information management.\r\n\r\nEvery Business Objects installation provides a web service to interact\r\nwith different platform services.\r\n\r\n\r\n5. Vulnerability Details\r\n========================\r\n\r\nThe BusinessObjects File Repositoy Server (FRS) CORBA listener allows a\r\nuser to read any file stored in the FRS without authentication. The only\r\nrequirement is that the user know the name of the file in the FRS. For\r\nexample, "A?frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt"A?. With\r\nknowledge of this filename, the user can read the file remotely without\r\nauthentication.\r\n\r\nNote, using CORBA it also possible to test if a directory or file exists\r\non the file system. Therefore, although unlikely, an attacker could\r\nguess directories and then filenames to brute-force file locations. This\r\nwould be considerably easier with a predictable file naming convention.\r\n\r\n\r\n6. Solution\r\n===========\r\n\r\nSAP has released SAP Note 2018682 which provides patched versions of the\r\naffected components.\r\n\r\nThe patches can be downloaded from\r\nhttps://service.sap.com/sap/support/notes/2018682\r\nOnapsis strongly recommends SAP customers to download the related\r\nsecurity fixes and apply them to the affected components in order to\r\nreduce business risks.\r\n\r\n\r\n\r\n7. Report Timeline\r\n==================\r\n\r\n2014-01-16: Onapsis provides vulnerability information to SAP AG.\r\n2014-02-17: SAP confirms having the information of vulnerability.\r\n2014-10-14: SAP releases security patches.\r\n2015-02-25: Onapsis releases security advisory.\r\n\r\n\r\nAbout Onapsis Research Labs\r\n===========================\r\n\r\nOnapsis Research Labs provides the industry analysis of key security\r\nissues that impact business-critical systems and applications.\r\nDelivering frequent and timely security and compliance advisories with\r\nassociated risk levels, Onapsis Research Labs combine in-depth knowledge\r\nand experience to deliver technical and business-context with sound\r\nsecurity judgment to the broader information security community.\r\n\r\n\r\nAbout Onapsis, Inc.\r\n===================\r\n\r\nOnapsis gives organizations the adaptive advantage to succeed in\r\nsecuring business-critical applications by combining technology,\r\nresearch and analytics. Onapsis enables every security and compliance\r\nteam an adaptive approach to focus on the factors that matter most to\r\ntheir business-critical applications that house vital data and run\r\nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile\r\ndeployments.\r\n\r\nOnapsis provides technology solutions including Onapsis X1, the de-facto\r\nSAP security auditing tool, and Onapsis Security Platform which delivers\r\nenterprise vulnerability, compliance, detection and response\r\ncapabilities with analytics.\r\n\r\nThe Onapsis Research Labs provide subject matter expertise that combines\r\nin-depth knowledge and experience to deliver technical and\r\nbusiness-context with sound security judgment. This enables\r\norganizations to efficiently uncover security and compliance gaps and\r\nprioritize the resolution within applications running on SAP platforms.\r\n\r\nOnapsis delivers tangible business results including decreased business\r\nrisk, highlighted compliance gaps, lower operational security costs and\r\ndemonstrable value on investment.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\nComment: Onapsis Research Team\r\n\r\niEYEARECAAYFAlTt3vsACgkQz3i6WNVBcDViHgCguruVbAL1FxUjQlthB5sMx0J6\r\nzqwAnR7jg3BGxzAyhU3ClMSxJEfLQPgx\r\n=NrTV\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:DOC:31839", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31839", "title": "[Onapsis Security Advisory 2015-002] SAP Business Objects Unauthorized File Repository Server Read via CORBA", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nOnapsis Security AdvisoryONAPSIS-2015-005: SAP Business Objects\r\nUnauthorized Audit Information Access via CORBA\r\n\r\n\r\n1. Impact on Business\r\n=====================\r\n\r\nBy exploiting this vulnerability a remote unauthenticated attacker would be\r\nable to read auditing information thus accessing sensitive business data.\r\nAccess to this functionality should be restricted.\r\n\r\nRisk Level: Medium\r\n\r\n\r\n2. Advisory Information\r\n=======================\r\n\r\n- - Public Release Date: 2015-02-25\r\n\r\n- - Subscriber Notification Date: 2015-02-25\r\n\r\n- - Last Revised: 2015-02-25\r\n\r\n- - Security Advisory ID: ONAPSIS-2015-005\r\n\r\n- - Onapsis SVS ID: ONAPSIS-00110\r\n\r\n- - CVE: CVE-2015-2076\r\n\r\n- - Researcher: Will Vandevanter\r\n\r\n- - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)\r\n\r\n\r\n3. Vulnerability Information\r\n============================\r\n\r\n- - Vendor: SAP\r\n\r\n- - Affected Components:\r\n - BussinessObjects Edge 4.0\r\n (Check SAP Note 2011395 for detailed information on affected releases)\r\n\r\n- - Vulnerability Class: Improper Authorization (CWE-285)\r\n\r\n- - Remotely Exploitable: Yes\r\n\r\n- - Locally Exploitable: No\r\n\r\n- - Authentication Required: No\r\n\r\n- - Original Advisory:\r\nhttp://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-audit-information-access-via-corba\r\n\r\n\r\n4. Affected Components Description\r\n==================================\r\n\r\nBusiness Objects is part of the Business Intelligence platform from SAP.\r\nIt has components that provide performance management, planning,\r\nreporting, query and analysis and enterprise information management.\r\n\r\nEvery Business Objects installation provides a web service to interact\r\nwith different platform services.\r\n\r\n\r\n5. Vulnerability Details\r\n========================\r\n\r\nIt is possible for an unauthenticated user to retrieve any audit events\r\nfrom a remote BusinessObjects service. This can disclose sensitive\r\ninformation including report names, universe queries, logins, etc.\r\nAuditing details are listed in the Auditing tab of the CMS. All services\r\nwhich expose a Auditing service are vulnerable. In the default setting\r\nthis includes allA BusinessObjects services except the CMS.\r\n\r\n\r\n6. Solution\r\n===========\r\n\r\nSAP has released SAP Note 2011395 which provides patched versions of the\r\naffected components.\r\n\r\nThe patches can be downloaded from\r\nhttps://service.sap.com/sap/support/notes/2011395\r\n\r\nOnapsis strongly recommends SAP customers to download the related\r\nsecurity fixes and apply them to the affected components in order to\r\nreduce business risks.\r\n\r\n\r\n7. Report Timeline\r\n==================\r\n\r\n2014-02-16: Onapsis provides vulnerability information to SAP AG.\r\n2014-02-17: SAP confirms having the information of vulnerability.\r\n2014-10-14: SAP releases security patches.\r\n2015-02-25: Onapsis releases security advisory.\r\n\r\n\r\nAbout Onapsis Research Labs\r\n===========================\r\n\r\nOnapsis Research Labs provides the industry analysis of key security\r\nissues that impact business-critical systems and applications.\r\nDelivering frequent and timely security and compliance advisories with\r\nassociated risk levels, Onapsis Research Labs combine in-depth knowledge\r\nand experience to deliver technical and business-context with sound\r\nsecurity judgment to the broader information security community.\r\n\r\n\r\nAbout Onapsis, Inc.\r\n===================\r\n\r\nOnapsis gives organizations the adaptive advantage to succeed in\r\nsecuring business-critical applications by combining technology,\r\nresearch and analytics. Onapsis enables every security and compliance\r\nteam an adaptive approach to focus on the factors that matter most to\r\ntheir business-critical applications that house vital data and run\r\nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile\r\ndeployments.\r\n\r\nOnapsis provides technology solutions including Onapsis X1, the de-facto\r\nSAP security auditing tool, and Onapsis Security Platform which delivers\r\nenterprise vulnerability, compliance, detection and response\r\ncapabilities with analytics.\r\n\r\nThe Onapsis Research Labs provide subject matter expertise that combines\r\nin-depth knowledge and experience to deliver technical and\r\nbusiness-context with sound security judgment. This enables\r\norganizations to efficiently uncover security and compliance gaps and\r\nprioritize the resolution within applications running on SAP platforms.\r\n\r\nOnapsis delivers tangible business results including decreased business\r\nrisk, highlighted compliance gaps, lower operational security costs and\r\ndemonstrable value on investment.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\nComment: Onapsis Research Team\r\n\r\niEYEARECAAYFAlTt3yoACgkQz3i6WNVBcDX5EQCfZG26JL1yFGvDoDGEJ+pthDeI\r\nTV8AoOEUz36esHb0Ax456UC4JmgFND3O\r\n=kgpo\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:DOC:31842", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31842", "title": "[Onapsis Security Advisory 2015-005] SAP Business Objects Unauthorized Audit Information Access via CORBA", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nOnapsis Security AdvisoryONAPSIS-2015-003: SAP Business Objects\r\nUnauthorized File Repository Server Write via CORBA\r\n\r\n\r\n1. Impact on Business\r\n=====================\r\n\r\nBy exploiting this vulnerability a remote unauthenticated attacker would be\r\nable to overwrite sensitive business data stored on the remote system.\r\n\r\nRisk Level: High\r\n\r\n\r\n2. Advisory Information\r\n=======================\r\n\r\n- - Public Release Date: 2015-02-25\r\n\r\n- - Subscriber Notification Date: 2015-02-25\r\n\r\n- - Last Revised: 2015-02-25\r\n\r\n- - Security Advisory ID: ONAPSIS-2015-003\r\n\r\n- - Onapsis SVS ID: ONAPSIS-00109\r\n\r\n- - CVE: CVE-2015-2074\r\n\r\n- - Researcher: Will Vandevanter\r\n\r\n- - Initial Base CVSS v2: 6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P)\r\n\r\n\r\n3. Vulnerability Information\r\n============================\r\n\r\n- - Vendor: SAP\r\n\r\n- - Affected Components:\r\n - BussinessObjects Edge 4.0\r\n (Check SAP Note 2018681 for detailed information on affected releases)\r\n\r\n- - Vulnerability Class: External Control of File Name or Path (CWE-73)\r\n\r\n- - Remotely Exploitable: Yes\r\n\r\n- - Locally Exploitable: No\r\n\r\n- - Authentication Required: No\r\n\r\n- - Original Advisory:\r\nhttp://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-write-via-corba\r\n\r\n\r\n4. Affected Components Description\r\n==================================\r\n\r\nBusiness Objects is part of the Business Intelligence platform from SAP.\r\nIt has components that provide performance management, planning,\r\nreporting, query and analysis and enterprise information management.\r\n\r\nEvery Business Objects installation provides a web service to interact\r\nwith different platform services.\r\n\r\n\r\n5. Vulnerability Details\r\n========================\r\n\r\nThe BusinessObjects File Repositoy Server (FRS) CORBA listener allows\r\nthe writing of any file stored in the FRS without authentication. If the\r\nattacker wishes to overwrite a file, the only requirement is that the\r\nuser know the name of the file in the FRS. For example,\r\nA?A?A?frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rptA?A?A?. With\r\nknowledge of this filename, the user can write the file remotely without\r\nauthentication.\r\n\r\nNote, using CORBA it is also possible to test if a directory or file\r\nexists on the file system. Therefore, although unlikely, an attacker\r\ncould guess directories and then filenames brute-forcing files to\r\noverwrite. This would be considerably easier with a predictable file\r\nnaming convention.\r\n\r\n\r\n6. Solution\r\n===========\r\n\r\nSAP has released SAP Note 2018681 which provides patched versions of the\r\naffected components.\r\n\r\nThe patches can be downloaded from\r\nhttps://service.sap.com/sap/support/notes/2018681\r\n\r\nOnapsis strongly recommends SAP customers to download the related\r\nsecurity fixes and apply them to the affected components in order to\r\nreduce business risks.\r\n\r\n\r\n7. Report Timeline\r\n==================\r\n\r\n2014-01-16: Onapsis provides vulnerability information to SAP AG.\r\n2014-02-17: SAP confirms having the information of vulnerability.\r\n2014-10-14: SAP releases security patches.\r\n2015-02-25: Onapsis releases security advisory.\r\n\r\n\r\nAbout Onapsis Research Labs\r\n===========================\r\n\r\nOnapsis Research Labs provides the industry analysis of key security\r\nissues that impact business-critical systems and applications.\r\nDelivering frequent and timely security and compliance advisories with\r\nassociated risk levels, Onapsis Research Labs combine in-depth knowledge\r\nand experience to deliver technical and business-context with sound\r\nsecurity judgment to the broader information security community.\r\n\r\n\r\nAbout Onapsis, Inc.\r\n===================\r\n\r\nOnapsis gives organizations the adaptive advantage to succeed in\r\nsecuring business-critical applications by combining technology,\r\nresearch and analytics. Onapsis enables every security and compliance\r\nteam an adaptive approach to focus on the factors that matter most to\r\ntheir business-critical applications that house vital data and run\r\nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile\r\ndeployments.\r\n\r\nOnapsis provides technology solutions including Onapsis X1, the de-facto\r\nSAP security auditing tool, and Onapsis Security Platform which delivers\r\nenterprise vulnerability, compliance, detection and response\r\ncapabilities with analytics.\r\n\r\nThe Onapsis Research Labs provide subject matter expertise that combines\r\nin-depth knowledge and experience to deliver technical and\r\nbusiness-context with sound security judgment. This enables\r\norganizations to efficiently uncover security and compliance gaps and\r\nprioritize the resolution within applications running on SAP platforms.\r\n\r\nOnapsis delivers tangible business results including decreased business\r\nrisk, highlighted compliance gaps, lower operational security costs and\r\ndemonstrable value on investment.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\nComment: Onapsis Research Team\r\n\r\niEYEARECAAYFAlTt3w8ACgkQz3i6WNVBcDWRkACffvfY2LtFi4zyVwTpYD1dIABD\r\nX8IAoK2UVIGnUiTYzEtfm0F6dAE9xoFR\r\n=OK8R\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2015-03-21T00:00:00", "published": "2015-03-21T00:00:00", "id": "SECURITYVULNS:DOC:31840", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31840", "title": "[Onapsis Security Advisory 2015-003] SAP Business Objects Unauthorized File Repository Server Write via CORBA", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:41", "bulletinFamily": "exploit", "description": "", "modified": "2015-02-25T00:00:00", "published": "2015-02-25T00:00:00", "href": "https://packetstormsecurity.com/files/130520/SAP-Business-Objects-Unauthorized-File-Repository-Server-Read.html", "id": "PACKETSTORM:130520", "type": "packetstorm", "title": "SAP Business Objects Unauthorized File Repository Server Read", "sourceData": "` \n-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nOnapsis Security Advisory ONAPSIS-2015-002: SAP Business Objects \nUnauthorized File Repository Server Read via CORBA \n \n \n1. Impact on Business \n===================== \n \nBy exploiting this vulnerability a remote unauthenticated attacker would be \nable to retrieve sensitive business data stored on the remote system. \n \nRisk Level: High \n \n \n2. Advisory Information \n======================= \n \n- - Public Release Date: 2015-02-25 \n \n- - Subscriber Notification Date: 2015-02-25 \n \n- - Last Revised: 2015-02-25 \n \n- - Security Advisory ID: ONAPSIS-2015-002 \n \n- - Onapsis SVS ID: ONAPSIS-00111 \n \n- - CVE: CVE-2015-2073 \n \n- - Researcher: Will Vandevanter \n \n- - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) \n \n \n3. Vulnerability Information \n============================ \n \n- - Vendor: SAP \n \n- - Affected Components: \n- BussinessObjects Edge 4.0 \n(Check SAP Note 2018682 for detailed information on affected releases) \n \n- - Vulnerability Class: External Control of File Name or Path (CWE-73) \n \n- - Remotely Exploitable: Yes \n \n- - Locally Exploitable: No \n \n- - Authentication Required: No \n \n- - Original Advisory: \nhttp://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-read-via-corba \n \n4. Affected Components Description \n================================== \n \nBusiness Objects is part of the Business Intelligence platform from SAP. \nIt has components that provide performance management, planning, \nreporting, query and analysis and enterprise information management. \n \nEvery Business Objects installation provides a web service to interact \nwith different platform services. \n \n \n5. Vulnerability Details \n======================== \n \nThe BusinessObjects File Repositoy Server (FRS) CORBA listener allows a \nuser to read any file stored in the FRS without authentication. The only \nrequirement is that the user know the name of the file in the FRS. For \nexample, \"\u00c2\u009cfrs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt\"\u00c2\u009d. With \nknowledge of this filename, the user can read the file remotely without \nauthentication. \n \nNote, using CORBA it also possible to test if a directory or file exists \non the file system. Therefore, although unlikely, an attacker could \nguess directories and then filenames to brute-force file locations. This \nwould be considerably easier with a predictable file naming convention. \n \n \n6. Solution \n=========== \n \nSAP has released SAP Note 2018682 which provides patched versions of the \naffected components. \n \nThe patches can be downloaded from \nhttps://service.sap.com/sap/support/notes/2018682 \nOnapsis strongly recommends SAP customers to download the related \nsecurity fixes and apply them to the affected components in order to \nreduce business risks. \n \n \n \n7. Report Timeline \n================== \n \n2014-01-16: Onapsis provides vulnerability information to SAP AG. \n2014-02-17: SAP confirms having the information of vulnerability. \n2014-10-14: SAP releases security patches. \n2015-02-25: Onapsis releases security advisory. \n \n \nAbout Onapsis Research Labs \n=========================== \n \nOnapsis Research Labs provides the industry analysis of key security \nissues that impact business-critical systems and applications. \nDelivering frequent and timely security and compliance advisories with \nassociated risk levels, Onapsis Research Labs combine in-depth knowledge \nand experience to deliver technical and business-context with sound \nsecurity judgment to the broader information security community. \n \n \nAbout Onapsis, Inc. \n=================== \n \nOnapsis gives organizations the adaptive advantage to succeed in \nsecuring business-critical applications by combining technology, \nresearch and analytics. Onapsis enables every security and compliance \nteam an adaptive approach to focus on the factors that matter most to \ntheir business-critical applications that house vital data and run \nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile \ndeployments. \n \nOnapsis provides technology solutions including Onapsis X1, the de-facto \nSAP security auditing tool, and Onapsis Security Platform which delivers \nenterprise vulnerability, compliance, detection and response \ncapabilities with analytics. \n \nThe Onapsis Research Labs provide subject matter expertise that combines \nin-depth knowledge and experience to deliver technical and \nbusiness-context with sound security judgment. This enables \norganizations to efficiently uncover security and compliance gaps and \nprioritize the resolution within applications running on SAP platforms. \n \nOnapsis delivers tangible business results including decreased business \nrisk, highlighted compliance gaps, lower operational security costs and \ndemonstrable value on investment. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \nComment: Onapsis Research Team \n \niEYEARECAAYFAlTt3vsACgkQz3i6WNVBcDViHgCguruVbAL1FxUjQlthB5sMx0J6 \nzqwAnR7jg3BGxzAyhU3ClMSxJEfLQPgx \n=NrTV \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/130520/ONAPSIS-2015-002.txt", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-12-05T22:24:24", "bulletinFamily": "exploit", "description": "", "modified": "2015-02-25T00:00:00", "published": "2015-02-25T00:00:00", "href": "https://packetstormsecurity.com/files/130521/SAP-Business-Objects-Unauthorized-File-Repository-Server-Write.html", "id": "PACKETSTORM:130521", "type": "packetstorm", "title": "SAP Business Objects Unauthorized File Repository Server Write", "sourceData": "` \n-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nOnapsis Security AdvisoryONAPSIS-2015-003: SAP Business Objects \nUnauthorized File Repository Server Write via CORBA \n \n \n1. Impact on Business \n===================== \n \nBy exploiting this vulnerability a remote unauthenticated attacker would be \nable to overwrite sensitive business data stored on the remote system. \n \nRisk Level: High \n \n \n2. Advisory Information \n======================= \n \n- - Public Release Date: 2015-02-25 \n \n- - Subscriber Notification Date: 2015-02-25 \n \n- - Last Revised: 2015-02-25 \n \n- - Security Advisory ID: ONAPSIS-2015-003 \n \n- - Onapsis SVS ID: ONAPSIS-00109 \n \n- - CVE: CVE-2015-2074 \n \n- - Researcher: Will Vandevanter \n \n- - Initial Base CVSS v2: 6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P) \n \n \n3. Vulnerability Information \n============================ \n \n- - Vendor: SAP \n \n- - Affected Components: \n- BussinessObjects Edge 4.0 \n(Check SAP Note 2018681 for detailed information on affected releases) \n \n- - Vulnerability Class: External Control of File Name or Path (CWE-73) \n \n- - Remotely Exploitable: Yes \n \n- - Locally Exploitable: No \n \n- - Authentication Required: No \n \n- - Original Advisory: \nhttp://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-write-via-corba \n \n \n4. Affected Components Description \n================================== \n \nBusiness Objects is part of the Business Intelligence platform from SAP. \nIt has components that provide performance management, planning, \nreporting, query and analysis and enterprise information management. \n \nEvery Business Objects installation provides a web service to interact \nwith different platform services. \n \n \n5. Vulnerability Details \n======================== \n \nThe BusinessObjects File Repositoy Server (FRS) CORBA listener allows \nthe writing of any file stored in the FRS without authentication. If the \nattacker wishes to overwrite a file, the only requirement is that the \nuser know the name of the file in the FRS. For example, \n\u00c3\u00a2\u00c2\u0080\u00c2\u009cfrs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt\u00c3\u00a2\u00c2\u0080\u00c2\u009d. With \nknowledge of this filename, the user can write the file remotely without \nauthentication. \n \nNote, using CORBA it is also possible to test if a directory or file \nexists on the file system. Therefore, although unlikely, an attacker \ncould guess directories and then filenames brute-forcing files to \noverwrite. This would be considerably easier with a predictable file \nnaming convention. \n \n \n6. Solution \n=========== \n \nSAP has released SAP Note 2018681 which provides patched versions of the \naffected components. \n \nThe patches can be downloaded from \nhttps://service.sap.com/sap/support/notes/2018681 \n \nOnapsis strongly recommends SAP customers to download the related \nsecurity fixes and apply them to the affected components in order to \nreduce business risks. \n \n \n7. Report Timeline \n================== \n \n2014-01-16: Onapsis provides vulnerability information to SAP AG. \n2014-02-17: SAP confirms having the information of vulnerability. \n2014-10-14: SAP releases security patches. \n2015-02-25: Onapsis releases security advisory. \n \n \nAbout Onapsis Research Labs \n=========================== \n \nOnapsis Research Labs provides the industry analysis of key security \nissues that impact business-critical systems and applications. \nDelivering frequent and timely security and compliance advisories with \nassociated risk levels, Onapsis Research Labs combine in-depth knowledge \nand experience to deliver technical and business-context with sound \nsecurity judgment to the broader information security community. \n \n \nAbout Onapsis, Inc. \n=================== \n \nOnapsis gives organizations the adaptive advantage to succeed in \nsecuring business-critical applications by combining technology, \nresearch and analytics. Onapsis enables every security and compliance \nteam an adaptive approach to focus on the factors that matter most to \ntheir business-critical applications that house vital data and run \nbusiness processes including SAP Business Suite, SAP HANA and SAP Mobile \ndeployments. \n \nOnapsis provides technology solutions including Onapsis X1, the de-facto \nSAP security auditing tool, and Onapsis Security Platform which delivers \nenterprise vulnerability, compliance, detection and response \ncapabilities with analytics. \n \nThe Onapsis Research Labs provide subject matter expertise that combines \nin-depth knowledge and experience to deliver technical and \nbusiness-context with sound security judgment. This enables \norganizations to efficiently uncover security and compliance gaps and \nprioritize the resolution within applications running on SAP platforms. \n \nOnapsis delivers tangible business results including decreased business \nrisk, highlighted compliance gaps, lower operational security costs and \ndemonstrable value on investment. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \nComment: Onapsis Research Team \n \niEYEARECAAYFAlTt3w8ACgkQz3i6WNVBcDWRkACffvfY2LtFi4zyVwTpYD1dIABD \nX8IAoK2UVIGnUiTYzEtfm0F6dAE9xoFR \n=OK8R \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 4.7, "vector": "AV:NETWORK/AC:LOW/Au:UNKNOWN/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130521/ONAPSIS-2015-003.txt"}]}