SAP Enterprise Portal – SSRF iviewCatcherEditor

IMPACT ON BUSINESS

Successful attacks can lead to various types of exploitation like CSRF, html injection, data exfiltration, depending on the victim’s privileges.

AFFECTED COMPONENTS DESCRIPTION

SAP Enterprise Portal is a web frontend component for SAP Netweaver.

Affected components:

• EP-RUNTIME 7.10
• EP-RUNTIME 7.11
• EP-RUNTIME 7.20
• EP-RUNTIME 7.30
• EP-RUNTIME 7.31
• EP-RUNTIME 7.40
• EP-RUNTIME 7.50

(Check SAP Note 3074844 for detailed information on affected releases)

VULNERABILITY DETAILS

The SAP Portal component Iviews Editor contains a Server Side Request Forgery (SSRF) vulnerability. It allows an unauthenticated attacker to craft a malicious url that would trick the victim into making any type of request (POST, GET, etc) to any internal or external server.

SOLUTION

SAP has released SAP Note 3074844 which provides patched versions of the affected components.

The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/3074844.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

REPORT TIMELINE

• 04/28/2021: Onapsis sends details to SAP
• 04/28/2021: SAP provides internal ID
• 08/10/2021: SAP releases SAP Note fixing the issue.

REFERENCES

• Onapsis Blog Post: https://onapsis.com/blog/sap-security-patch-day-august-2021
• CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33705
• Vendor Patch: https://launchpad.support.sap.com/#/notes/3074844