SAP NetWeaver

SAP NetWeaver is the integration and application platform of SAP AG, the technical basis of the complex of solutions "Modern Enterprise Management" (SAP Business Suite), composite SAP xApps applications, partner solutions and applications developed by the company's customers. It implements Enterprise Services Architecture, an SAP concept for building service-based business applications.

History

2025: FSTEC warned of a critical vulnerability in the development tool for SAP. Surgutneftegas, Gazprom and Rosneft are under threat

In mid-January, FSTEC warned of the discovery of a critical vulnerability BDU:2025-00254^[1] in software for developing and executing applications in the ABAP language, which was identified in the SAP NetWeaver Application Server. The criticality level is 9.9 by CVSSv3, but a public exploit has not yet been released. SAP has developed fixes and recommends updating.

The vulnerability of the SAP Web Application Server is associated with incorrect assignment of permissions for a critical resource, which allows a remote violator "to affect the confidentiality, integrity and availability of protected information," as stated in the description of the vulnerability. In fact, an attacker with its help can bypass the authentication procedure and execute his code in the context of the NetWeaver application server. Since it is an element of the execution environment for "heavy" corporate applications, the consequences of such a hack are obvious: hackers can interfere with the operation of industrial ERP systems running SAP.

SAP Web Application Server is a component of SAP NetWeaver that acts as a web application server for SAP models running many oil and gas companies, for example, Surgutneftegas, Gazprom, Rosneft, as well as companies in other industries, - said TAdviser Roman Karpov, Director of Strategy and Technology Development at Axiom JDK. - The product includes ABAP and Java application servers. It is possible to install both parts (stacks) both together and separately. According to research, as of May 2024, SAP occupied 66% of the Russian ERP systems market, although it left the Russian market and stopped providing updates.

That is why vulnerability in such a product can be very dangerous - it poses a threat to critical enterprises of the Russian economy.

The development on this tool is carried out by those who are now using SAP, - Oleg Logvinov, General Director of Logvinov Consulting Service, reminded TAdviser readers. - And this is the entire oil and gas, mining sector, metallurgy, transport and partially mechanical engineering. Approximately 60% of the country's GDP is produced by companies using SAP.

𝓲

Фото: Freepik

However, to exploit the vulnerability, attackers must gain access to the NetWeaver server, which enterprises try to avoid by hiding such critical elements of the corporate infrastructure behind a powerful security system and organizing secure access to them. Although the developer has released fixes, updating the relevant products can be difficult for Russian enterprises. Therefore, for users of vulnerable versions of SAP, FSTEC recommends that you:

• Use Web Application Layer Firewall (WAF) to restrict remote access to vulnerable software;
• Implement mechanisms for "white" lists of IP addresses to organize access to vulnerable software;
• Ensure minimization of user privileges when working with NetWeaver;
• Disable or completely delete unused user accounts;
• Configure secure communications for remote access to NetWeaver.

Oleg Logvinov, assessing the danger of such a vulnerability for the Russian economy, proposes to approach vulnerabilities of this type in SAP radically - to create a state-controlled competence center, whose duties will include:

• Creating a trusted environment for untrusted components;
• Development of SAP application protection methodology;
• Perform an audit to protect SAP applications;
• Provision of consulting services on installation and organization of secure development and operation environments of SAP;
• Check for bookmarks in the installed corrections;
• Development of relevant amendments to Russian legislation;
• Interaction with special services for the localization of source code in the Russian Federation.

Actually, FSTEC is moving in about this direction as part of improving the secure development infrastructure in Russia. However, this service does not have the authority to organize such a competence center. Such a decision should be made at a higher level.

2020: Contour Products Pass SAP NetWeaver Integration Certification Program

The Contour products have passed a certification program for integration with SAP NetWeaver, the platform on which comprehensive business solutions are built. The Kontur.ERP integration complex combines accounting, production management and electronic document management. The SAP NetWeaver certified solution complies with domestic legislation and is suitable for Russian and international companies that do business in Russia. Read more here.

2018

Integration with Rutoken EDS products

On November 26, 2018, Aktiv announced that it had completed testing with SAP CIS that confirmed the compatibility of Rutoken EDS products with SAP systems. Read more here.

SAP NetWeaver vulnerabilities

On October 5, 2018, Positive Technologies announced that the company's specialists had discovered and helped close vulnerabilities in SAP products for enterprise data storage and business process automation.

Errors allow you to steal passwords and user session identifiers, attack internal services, perform malicious actions in the application on behalf of the attacker. The first two vulnerabilities are of the XSS type (cross-site scripting). The more dangerous one (CVE-2017-16685) was identified in the SAP Business Warehouse Universal Data Integration component, it received a rating of 6.9 points and is present in versions 7.50 and below. The second vulnerability was found in the SAP NetWeaver Development Infrastructure Cockpit, received a rating of 5.4 and is described in the security notice (SAP Security Note) under the number 2444673.

"Both vulnerabilities are caused by the lack of proper filtering of user request parameter values ​ ​ to the server, which allows an attacker to execute arbitrary JavaScript code in the user's browser. It is enough for an attacker to send a specially crafted link to his victim (as in the case of CVE-2017-16685) or, having the rights of an authorized user, add malicious code to the application page (Security Note 2444673). This can lead to theft of the user's session ID or any action in the application on behalf of the attacker. Dmitry Gutsko, Head of Business System Security at Positive Technologies

Positive Technologies also discovered a CVE-2017-16678 vulnerability (6.6 points) in SAP NetWeaver Knowledge Management Configuration Service, an SAP application responsible for system configuration. A Server-Side Request Forestry (SSRF) class vulnerability allows an application-authorized attacker to attack various services located on external or internal networks, forcing the server hosting the vulnerable SAP application to send arbitrary malicious HTTP requests to the corresponding network nodes. Exploitation of the vulnerability is also possible on behalf of a legitimate user, if he, being authorized in the application, goes to the page controlled by the attacker - in this scenario, Cross Site Request Forgery can be additionally used. Errors were found in EPBC and EPBC2 components in versions 7.00 to 7.02, as well as KMC-BC versions 7.30, 7.31, 7.40 and 7.50.

In addition, in the SAP NetWeaver System Landscape Directory application, which serves to store data on hardware and software components, a disclosure vulnerability was identified (described in Security Note under number 2527770, estimate 4.3). It allows an attacker to use port scanning to obtain information about the internal network on which the server is located.

Later, SAP also fixed vulnerabilities in CVE-2018-2401 and CVE-2018-2366 found by Positive Technologies experts in SAP Business Process Automation (BPA) By Redwood, a platform designed to automate enterprise business processes.

A CVE-2018-2401 defect (score of 5.4 points) was found in version 9.0 in SAP BPA. It allows a user authorized in the system to read any server files, exploiting the lack of processing user XML documents, which leads to an XML External Entity attack. To exploit the vulnerability, an attacker can transfer a specially crafted XML document to the server, which will provoke an error in the text of which the contents of the server file will be located. The second vulnerability in SAP BPA is of the Directory Traversal type (CVE-2018-2366), it received a score of 4.3 points. Versions 9.0 and 9.1 are affected. The reason for this drawback was the incorrect parsing of the query string on the server side, which allows you to read local server files, including system ones. Reading files can intercept sensitive user data, such as their passwords or configuration files, which can further lead to bypassing the security system.

As noted in SAP CIS, the listed vulnerabilities discovered by Positive Technologies specialists were fixed in the period from September 2017 to March 2018.

2017: SAP NetWeaver Vulnerabilities

On April 24, 2017, Positive Technologies announced the identification of vulnerabilities in SAP NetWeaver 7.31 technology. Platform users are prompted to install security updates.

Experts have identified vulnerabilities in the software components of SAP Enterprise Portal Navigation, SAP NetWeaver Log Viewer and SAP Enterprise Portal Theme Editor, which are part of the SAP NetWeaver platform. Security flaws allow attackers to intercept login credentials, register keystrokes, spoof data and perform other illegitimate actions, up to and including a complete compromise of the system.

The study was attended by specialists of the company Yuri Aleinov, Yegor Dimitrenko, Roman Poneev and Mikhail Klyuchnikov. Four Cross-Site Scripting (XSS) vulnerabilities were found in the SAP Enterprise Portal - SAP Enterprise Portal Navigation (rating 6.1 on the CVSSv3 scale) and SAP Enterprise Portal Theme Editor (three gaps with scores 5.4, 6.1 and 6.1 on the CVSSv3 scale).

By exploiting the vulnerabilities, an attacker can gain access to the victim's session tokens, login credentials and other confidential information in the browser, perform various actions on behalf of the user, change the contents of the HTML page, and intercept keystrokes. Refer to SAP Security note 2369469, 2372183, 2372204, and 2377626 for recommendations on how to resolve these issues.

The world's largest companies use SAP to manage financial flows, product lifecycle, supplier and customer relationships, enterprise resources, supplies, and other critical business processes. Therefore, the security of information stored in SAP systems plays a huge role, and violation of the confidentiality of such data can lead to catastrophic consequences for business. Dmitry Gutsko, Head of Business System Security at Positive Technologies

Directory Traversal vulnerability (rating 5.9 on the CVSSv3 scale) - allows you to download arbitrary files in the SAP NetWeaver Log Viewer component. When loading an incorrectly formed archive containing files with special characters in the name, and then unpacking it, the web application recognizes the characters. "" and ""/" as part of the correct file path, which allows attackers to exploit the directory traversal vulnerability and download files anywhere on the server's file system.

The consequences of downloading arbitrary files can lead to a compromise of the system, excessive load on the file system or database, the spread of an attack on server systems and data substitution (defacement). The degree of impact of this vulnerability is high, since arbitrary code can be executed in the context of the server. The steps to address this issue are described in SAP Safety Notice 2370876.

All of these vulnerabilities were closed as part of Security Patch Day in January 2017. Thanks to colleagues for the work done. It once again reminds system owners to update software versions in a timely manner, track the publication of SAP Note on security and install the patches described in them. Dmitry Kostrov, Director of Information Security at SAP CIS

2016: SAP NetWeaver Vulnerabilities

On June 20, 2016, a company study was released that Digital Security revealed numerous vulnerabilities in the company's SAP NetWeaver. SAP- ON technical basis for all applications. SAP Business Suite Products based on the SAP NW platform are used by thousands of companies in the world, including Russia in the CIS.

The author of the work is Vaagn Vardyanyan, an expert at the SAP Security Audit Department at Digital Security. The scan was performed on 7348 SAP servers available over the Internet. About 1,400 components (applications) are installed on the server where the study was conducted.

Exploitation of vulnerabilities

During the security analysis of SAP NetWeaver, many vulnerabilities were discovered, including a disclosure vulnerability, SQL injection, and a password hashing error. Sharing these security problems in some cases makes it possible to first obtain user logins, then encrypted passwords, then, due to the incorrect implementation of hashing, take possession of the password of any SAP JAVA user.

If an attacker discovers one or more of the listed vulnerabilities, the consequences may be different. For example, using only the bug of disclosing user logins, he can get user logins and open the portal at/irj/portal. Next, if he begins to enter incorrect passwords to logins, after 3-5 attempts, all accounts will be blocked, and the business processes of the attacked company will simply stop until the administrators unlock them manually.

Another attack vector may be associated with SQL injection. Using this vulnerability, an attacker can send 3-10 web requests to the SAP NW JAVA server and request a large amount of data from the database. Further, the database uses all server resources to satisfy the attacker's request, while the server will no longer respond to all legitimate requests from employees. And SAP before us is a classic picture. DoS In addition, an attacker can simply obtain any data, including critical data, from the SAP NW JAVA database without organizing a DoS attack.

Exploitation of SQL injection will allow you to get the hash of users. And if a vulnerability associated with a password hashing error is also involved, it seems possible to "one click" take possession of the administrator or accountant's password, steal funds from the company's accounts and transfer them to any bank, as well as get a full user base, access to personal information with the possibility of subsequent sale.

The study showed that about 1,013 servers are exposed to information disclosure vulnerabilities (~ 14% of the total number of scanned servers, 7348).

Port Availability Chart, (2016)

Servlet availability statistics look eloquent, which may contain the SQL injection vulnerability: 2174 servers (i.e. ~ 30% of the total number of scanned servers, 7348).

Servlet Availability Chart, (2016)

The researcher Digital Security notified the company SAP about the vulnerabilities found, the vendor promptly released patches and recommended that users update. software Some of the safety issues found were assigned a critical risk level (9.1/10, by classification). SAP

2010

NetWeaver 7.3

According to SAP representatives, in 2010 a version of the platform will be released - NetWeaver 7.3, for which significantly improved Java support is promised, including certification for Java EE5 compliance, as well as expanded support for web services, enhanced identity management capabilities and various improvements in the field of user productivity, including corporate "workspaces."^[2]

As indicated in SAP, in the future the platform will be involved in three key technological strategies of the company: in the field of mobile applications, cloud software and computing in RAM. NetWeaver is planned to be integrated with the mobile application platform obtained with the purchase of Sybase. NetWeaver is also developing a Gateway project that allows you to access SAP system data from multiple devices and applications. In addition, the in-memory computing mechanism used in the previously announced series of SAP analytical servers will be attached to the platform. SAP's cloud platform strategy will use the platform to provide management and development capabilities.

Note that according to some observers, NetWeaver has not recently been developing as actively as the competitive stacks of the binding software of Oracle and IBM. As a result, there were rumors that SAP would sooner or later buy a large manufacturer of binding software like TIBCO or Software AG.

Supported standards

As of May 2010, the SAP NetWeaver platform supports Internet standards such as HTTP, XML, and Web services. This ensures openness and compatibility with Microsoft.NET and Java 2 Platform Enterprise Edition (J2EE) environments, such as IBM WebSphere.

SAP NetWeaver Components and Tools

(Data current as of May 2010)

Components

• SAP Business Intelligence
• Enterprise Portal
• SAP Exchange Infrastructure (SAP XI)
• SAP Master Data Management
• SAP Mobile Infrastructure
• SAP Auto-ID Infrastructure
• SAP Web Application Server

Tools

• SAP Composite Application Framework
• SAP NetWeaver Developer Studio Development Environment
• SAP Solution Manager Platform

Additional solutions

• Archiving and managing SAP documents and data.

Notes