Search

Unauthenticated JNDI Injection in RemoteObjectFactory P4 service

Impact On Business

An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to exploita JNDI injection in order to be able to turn on applications. As a consequence, further attacks could be executed by leveraging flaws or features in the new turned on apps.

This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum

Affected Components Description

SERVERCORE/CORE-TOOLS/J2EE-FRMW components are a central part of the SAP Netweaver JAVA layer.

As such, every product or solution based on that layer will be affected by this vulnerability.
Some of these products are:

  • SAP Enterprise Portal
  • SAP Solution Manager
  • SAP PI/PO
  • SAP Landscape Manager
  • etc.

Vulnerability Details

P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through, the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.

Within that list of services, RemoteObjectFactory was found. This service provides a way to execute JNDI lookups. Because of a lack of sanitization, it is possible to provide any arbitrary forged URL that will end up as a parameter for the JNDI lookup. As a consequence, an attacker may be able to exploit it and turn on applications without authentication. These turned on applications may provide extra attack surface and options for possible post-exploitation techniques.

Solution

SAP has released SAP Note 3317453 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3317453

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

  • 02/16/2023: Vulnerability reported to vendor.
  • 02/16/2023: Vendor provides incident number.
  • 05/09/2023: Patch released.

References

Back to Advisories

Advisory Information

  • Public Release Date: 04/15/2024
  • Security Advisory ID: ONAPSIS-2023-0010
  • Researcher(s): Pablo Artuso

Vulnerability Information

  • Vendor: SAP
  • Affected Components:
  • Java Kernel versions:
    • 7.50.3301.472568.20220902101413
    • 7.50.3301.467525.20210601093523
    • 7.50.3301.407179.20200416085516
  • SERVERCORE/CORE-TOOLS/J2EE-FRMW components versions:
    • 1000.7.50.24.7.20221009183400
    • 1000.7.50.22.0.20210804111800
    • 1000.7.50.2.0.20160125191600

(Check SAP Note 3317453 for detailed information on affected releases)

  • Vulnerability Class:
    • CWE-862: Missing Authorization
    • CWE-306: Missing Authentication for Critical Function
  • CVSS v3 score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
  • Risk Level: High
  • Assigned CVE: CVE-2023-30744
  • Vendor patch Information: SAP Security NOTE 3317453

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge

and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

©2024 Onapsis | All rights reserved