SAP Solution Manager Open Redirect from Trace Analysis

Impact On Business

Under certain circumstances, an attacker might be able to steal a cookie from the application. It may impact the confidentiality of the service.

Affected Components Description

SAP Solution Manager 7.2

(Check SAP Note 2938650 for detailed information on affected releases)

Vulnerability Details

An open redirect vulnerability exists in the application E2E Trace Analysis in SAP Solution Manager 7.2. The servlet `/E2eTraceGatewayW/E2eTraceServlet` uses current user information to gather logs content stored in the backend server. The attacker can enter a link to a malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack.

Solution

SAP has released SAP Note 2938650 which provides patched versions of the affected components.

The patches can be downloaded from: https://launchpad.support.sap.com/#/notes/2938650

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 04/30/2020 – Onapsis provides details to SAP
• 04/30/2020 – SAP Provides ID: SR-20-00204
• 05/11/2020 – SAP provides update: “Vulnerability in progress”
• 10/12/2020 – SAP provides update: “Fix in progress”
• 12/08/2020 – SAP releases SAP Note fixing the issue. Vulnerability is now closed

---

REFERENCES

• Onapsis Blog Post:https://onapsis.com/blog/sap-security-notes-december-2020
• CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26836
• Vendor Patch:https://launchpad.support.sap.com/#/notes/2938650