IMPACT ON BUSINESS
This XSLT vulnerability allows an unprivileged authenticated attacker to execute an OS command as SAP administrator OS-level (sidadm). This results in a full compromise of the confidentiality, integrity and availability of the system.
AFFECTED COMPONENTS DESCRIPTION
SAP Enterprise Portal is a web frontend component for SAP Netweaver.
- ENGINEAPI 7.10
- ENGINEAPI 7.30
- ENGINEAPI 7.31
- ENGINEAPI 7.40
- ENGINEAPI 7.50
(Check SAP Note 3081888 for detailed information on affected releases)
The XSLT Engine of the SAP Portal application com.sapportals.wcm.repository.filter does not correctly handle malicious xslt injection type. With a low privilege user, it is possible to trigger the xslt engine to use an xsl file owned by the attacker.
Privileges required for this attack :
- User groups : Authenticated Users, Everyone
- User roles : None
SAP has released SAP Note 3081888 which provides patched versions of the affected components.
The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/3074844.
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
- 06/28/2021: Onapsis sends details to SAP
- 06/28/2021: SAP provides internal ID
- 09/14/2021: SAP releases SAP Note fixing the issue.
- Public Release Date: 01/26/2022
- Security Advisory ID: ONAPSIS-2021-0026
- Vulnerability Submission ID: 889
- Researcher(s): Yvan Genuer
- Vendor: SAP
- Vulnerability Class: CWE-138: Improper Neutralization of Special Elements
- CVSS v3 score: 9.9 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity: Critical
- CVE: CVE-2021-37531
- Vendor patch Information: SAP Security Note 3081888
ABOUT OUR RESEARCH LABS
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.
Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License