SAP Enterprise Portal – XSLT injection

IMPACT ON BUSINESS

This XSLT vulnerability allows an unprivileged authenticated attacker to execute an OS command as SAP administrator OS-level (sidadm). This results in a full compromise of the confidentiality, integrity and availability of the system.

AFFECTED COMPONENTS DESCRIPTION

SAP Enterprise Portal is a web frontend component for SAP Netweaver.

Affected components:

• ENGINEAPI 7.10
• ENGINEAPI 7.30
• ENGINEAPI 7.31
• ENGINEAPI 7.40
• ENGINEAPI 7.50

(Check SAP Note 3081888 for detailed information on affected releases)

VULNERABILITY DETAILS

The XSLT Engine of the SAP Portal application com.sapportals.wcm.repository.filter does not correctly handle malicious xslt injection type. With a low privilege user, it is possible to trigger the xslt engine to use an xsl file owned by the attacker.

Privileges required for this attack :

• User groups : Authenticated Users, Everyone
• User roles : None

SOLUTION

SAP has released SAP Note 3081888 which provides patched versions of the affected components.

The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/3074844.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
REPORT TIMELINE

• 06/28/2021: Onapsis sends details to SAP
• 06/28/2021: SAP provides internal ID
• 09/14/2021: SAP releases SAP Note fixing the issue.

REFERENCES

• Onapsis Blog Post: https://onapsis.com/blog/sap-security-patch-day-august-2021
• CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37531
• Vendor Patch: https://launchpad.support.sap.com/#/notes/3081888