RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

SAP NetWeaver

Product
The name of the base system (platform): SAP Business Suite
Developers: SAP SE
Last Release Date: 2018/10/05
Technology: SOA

Content

SAP NetWeaver is the integration and applied platform of SAP AG company, a technical basis of a complex of the solutions SAP Business Suite, composite SAP applications of xApps, partner solutions and applications developed by clients of the company. It implements architecture of services of the enterprise (Enterprise Services Architecture) – the concept of SAP on creation of service-based business applications.

History

2020: Products of the Circuit passed the program of certification of integration with SAP NetWeaver

Products of the Circuit passed the program of certification of integration with SAP NetWeaver — the platform on which complete solutions for business are based. The integration Circuit.ERP complex integrates accounting, production management and electronic document management. The solution certified on compatibility with SAP NetWeaver corresponds to the domestic legislation, suits the Russian and international companies which do business in Russia. Read more here.

2018

Integration with the EDS products Rutoken

On November 26, 2018 the Aktiv company reported that together with SAP CIS completed the testing which confirmed compatibility of the products Rutoken EDS with the systems of SAP. Read more here.

Vulnerabilities of SAP NetWeaver

On October 5, 2018 the Positive Technologies company announced that specialists of the company detected and helped to close vulnerabilities in SAP products for corporate data storage and business process automation.

Errors allow to abduct passwords and identifiers of sessions of users, to attack internal services, to perform harmful operations in the application on behalf of attacked. The first two vulnerabilities belong to the XSS type (cross-site accomplishment of scenarios). More dangerous of them (CVE-2017-16685) is revealed in a component of the data warehouse of SAP Business Warehouse Universal Data Integration, it got assessment 6.9 points and is present at versions 7.50 below. The second vulnerability is found in SAP NetWeaver Development Infrastructure Cockpit, received assessment 5.4 and is described in the notification on security (SAP Security Note) at number 2444673.

File:Aquote1.png
"Both vulnerabilities are caused by lack of due filtering of parameter values of a user query to the server which allows attacking to execute any JavaScript code in the user's browser. It is enough to malefactor to send to the victim specially created link (as in case of CVE-2017-16685) or, having rights of the authorized user, to add a malicious code on the page of the application (Security Note 2444673). It can lead to plunder of the identifier of a session of the user or accomplishment of any action in the application on behalf of attacked".
File:Aquote2.png

Also specialists of Positive Technologies detected vulnerability of CVE-2017-16678 (6.6 points) in SAP NetWeaver Knowledge Management Configuration Service — the SAP application which is responsible for system configuration. Vulnerability of the class Server-Side Request Forgery (SSRF) allows the malefactor authorized in the application to attack the different services which are in external or internal networks, forcing the server on which there is vulnerable SAP application, to send any harmful HTTP requests for the corresponding nodes of network. Operation of vulnerability is possible also on behalf of the legitimate user if that, being authorized in the application, visits the page under control of the malefactor — in this scenario counterfeit of a cross-site request (Cross Site Request Forgery) can be used in addition. Errors are found in the EPBC and EPBC2 components in versions from 7 a.m. till 7:02 a.m. and also KMC-BC of versions 7.30, 7.31, 7.40 and 7.50.

In addition, in SAP application of NetWeaver System Landscape Directory which serves for data storage about hardware and program components vulnerability of disclosure of information was revealed (assessment 4.3 is described in Security Note at number 2527770). It allows attacking using port scanning to obtain information on internal network in which there is a server.

Later the SAP company also eliminated the vulnerabilities of CVE-2018-2401 and CVE-2018-2366 found experts of Positive Technologies in SAP Business Process Automation (BPA) By Redwood — the platform intended for business process automation of the enterprise.

The defect of CVE-2018-2401 (assessment 5.4 points) is found in version 9.0 in SAP BPA. He allows the user authorized in a system to read any files of the server, using a lack of processing of XML documents of the user that leads to the attack of implementation of external entities (XML External Entity). For vulnerability operation the malefactor can transfer specially created XML document to the server that will provoke an error in which text there will be contents of the file of the server. The second vulnerability in SAP BPA belongs to the Directory Bypass type (Directory Traversal, CVE-2018-2366), she got assessment 4.3 points. Versions 9.0 and 9.1 are subject to it. As an origin of this shortcoming incorrect parsing of a line of a request on server side served that allows to read local files of the server, including system. Reading files can lead to interception of sensitive these users, for example their passwords or configuration files that can lead further to a bypass of a system of protection.

As noted the listed vulnerabilities detected by specialists of Positive Technologies in SAP CIS company were eliminated during the period from September, 2017 to March, 2018.

2017: Vulnerabilities of SAP NetWeaver

On April 24, 2017 the Positive Technologies company announced detection of vulnerabilities in SAP NetWeaver 7.31 technology. It is offered to users of the platform to set security updates.

Experts revealed vulnerabilities in program SAP components of Enterprise Portal Navigation, SAP NetWeaver Log Viewer and SAP Enterprise Portal Theme Editor which are a part of the SAP NetWeaver platform. Shortcomings of security allow attacking to execute interception of credentials for an input, to register clicking of keys, to change data and to perform other illegitimate operations, up to a complete compromise of a system.

Specialists of the company Yury Aleynov, Egor Dimitrenko, Roman Poneev and Mikhail Klyuchnikov participated in a research. Four vulnerabilities of cross-site accomplishment of scenarios (Cross-Site Scripting, XSS) are detected in components of the corporate SAP Enterprise Portal web portal — SAP Enterprise Portal Navigation (assessment 6.1 on CVSSv3 scale) and SAP Enterprise Portal Theme Editor (three gaps with estimates 5.4, 6.1 and 6.1 on CVSSv3 scale).

Operating vulnerabilities the malefactor can get access to tokens of a session of the victim, credentials for an input and other confidential information in the browser, to perform different operations from a user name, to change HTML page contents, to intercept clicking of keys. Recommendations about elimination of these shortcomings are described in notifications on security (SAP Security note) at numbers 2369469, 2372183, 2372204 and 2377626.

File:Aquote1.png
The largest companies of the world use SAP for management of financial flows, product lifecycle, vendor relation and clients, resources of the enterprises, deliveries and other crucial business processes. Therefore the security of information which is stored in the systems of SAP plays huge value, and violation of confidentiality of such data can lead to catastrophic effects for business.

Dmitry Gutsko, head of the safety department of business systems of Positive Technologies
File:Aquote2.png

Vulnerability of a bypass of the directory (Directory Traversal, assessment 5.9 on CVSSv3 scale) — allows to load any files in a SAP component of NetWeaver Log Viewer. When loading of incorrectly created archive containing files with special characters in the name, and its subsequent unpacking, the web application will recognize characters "." and "/" as a part of a correct way of the file that allows malefactors to operate vulnerability of a bypass of the directory and to load files into any place of a server file system.

Effects of loading of any files can cause a system compromise, excessive load of the file system or the database, distribution of the attack on the server systems and substitution of data (defacement). Extent of influence of this vulnerability is high as any code can be executed in the context of the server. The actions allowing to eliminate this defect are described in the notification on security of SAP at number 2370876.

File:Aquote1.png
All listed vulnerabilities were closed within Security Patch Day in January, 2017. Thanks to colleagues for the done work. It once again reminds owners of systems of need to timely update versions of software products, to trace the publication SAP Note on security and to set the patches described in them.

Dmitry Kostrov, the Chief information security officer in SAP CIS
File:Aquote2.png

2016: Vulnerabilities of SAP NetWeaver

On June 20, 2016 the research of Digital Security company which revealed numerous vulnerabilities in SAP NetWeaver of SAP company was issued. Software - a technical basis for all SAP applications of Business Suite. Products on the SAP NW platform use thousands of the companies in the world, including – in Russia and the CIS.

Author of work Vaagn Vardyanyan, expert of department of security audit of SAP in Digital Security company. Scanning was carried out on 7348 SAP servers available via the Internet. On the server where the research was conducted, it is installed about 1400 components (applications).


Operation of vulnerabilities

During the analysis of security of SAP NetWeaver the set of vulnerabilities, including vulnerability of disclosure of information, SQL injection, an error of hashing of passwords was revealed. Sharing of these security concerns in certain cases gives the chance to receive at first logins of users, passwords then ciphered, further, owing to hashing misimplementation, – to take control of the password of any user of SAP JAVA.

If the malefactor detects one or several of the listed vulnerabilities, effects can be different. For example, using only to a bug of disclosure of logins of users, he can receive logins of users and open the portal on address/irj/portal. Further, if it begins to enter the wrong passwords to logins, after 3-5 attempts all accounts, and business processes of the attacked company just will be blocked will stop until administrators unblock them in the manual mode.

Other vector of the attacks can be connected with SQL injection. Using this vulnerability, the malefactor can send 3-10 web requests to the JAVA SAP NW server and request the large volume of data from base. Further, the DB uses all resources of the server for satisfaction of the request attacking, at the same time the server will cease to respond to all legitimate requests from the staff of SAP. And before us – the classical picture DoS. Besides, the malefactor can just obtain any data, including critical, from JAVA SAP NW DB without the DoS-ataki organization.

Operation of SQL injection will allow to receive a hash of users. And if it is involved and the vulnerability connected with an error of hashing of passwords is represented an opportunity "in one click" to take control of admin password or accountants, to steal money from accounts of the company and to transfer them to any bank and also to receive complete user base, access to personal information with a possibility of the subsequent sale.

The research showed that about 1013 servers are subject to vulnerability of disclosure of information (~ 14% of total number of the scanned servers, 7348).


Chart of availability of ports, (2016)

Eloquently statistics of availability of a servlet which can contain vulnerability of SQL injection looks: 2174 servers (i.e. ~ 30% of total number of the scanned servers, 7348).

Chart of availability of a servlet, (2016)

The researcher of Digital Security notified SAP company on the found vulnerabilities, the vendor quickly released patches and recommended to users to update software. The critical risk level was appropriated to some of the detected security concerns (9.1/10, on classification of SAP).

2010

NetWeaver 7.3

According to representatives of SAP, in 2010 the version of the platform — NetWeaver 7.3 for which the improved support of Java, including certification on compliance of Java EE5 and also expanded support of web services, the complemented abilities to manage by identification and different improvements in the field of ensuring productivity of work of users, including corporate "working spaces" is promised much will be released.[1]

As specify in SAP, further the platform will be involved in three key technology strategy of the company: in the field of mobile applications, cloud software and calculations in RAM. NetWeaver is going to be integrated with the platform of mobile applications received with Sybase purchase. On the basis of NetWeaver the project of the gateway Gateway which will allow to provide data access of the systems of SAP using different devices and applications is also developed. Besides, the mechanism of calculations in RAM used in a series of analytical servers of SAP announced earlier will be attached to the platform. In the strategy of cloud platforms the SAP platform will be used for providing abilities to manage and development.

Let's note that according to some observers, NetWeaver develops not so actively recently as competitive stacks of binding software of corporations Oracle and IBM. As a result there were rumors that SAP will purchase the large producer of binding software like TIBCO or Software AG sooner or later.

The supported standards

For May, 2010 SAP the NetWeaver platform supports internet- standards, such as HTTP, XML and Web services. Thereby the openness and compatibility with Wednesdays Microsoft.NET and Java 2 Platform Enterprise Edition (J2EE) is provided, for example IBM WebSphere.

Components and SAP NetWeaver tools

(Data are relevant for May, 2010)

Components

Tools

Additional solutions

  • Archiving and management of documents and data of SAP.

Notes