Unauthenticated Information Disclosure in CacheRegionAnalyzer P4 service
Impact On Business
An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to exfiltrate sensitive technical information that could be leveraged for future attacks.
This vulnerability is part of a bigger family named P4CHAINS. This group of bugs may cause more serious consequences and expose systems to worst scenarios. For more information please visit: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum
Affected Components Description
SERVERCORE/CORE-TOOLS/J2EE-FRMW components are a central part of the SAP Netweaver JAVA layer.
As such, every product or solution based on that layer will be affected by this vulnerability.
Some of these products are:
- SAP Enterprise Portal
- SAP Solution Manager
- SAP PI/PO
- SAP Landscape Manager
Vulnerability Details
P4 is a proprietary protocol implemented by SAP in the NetWeaver JAVA stack. In a nutshell, this protocol is based on RMI and CORBA technologies with the goal of providing features for interchanging objects in a remote way. Through, the P4 interface it is possible to access to a bunch of exposed services. All those services are implemented using JAVABeans technology.
Within that list of services, CacheRegionAnalyzer was found. This service provides information of users, visited urls, senstive URL parameters, cache groups, and more information that is cached inside the system. As all functions exposed by this object were not enforcing authentication nor authorization, any anonymous attacker could extract valuable information for further attacks.
Solution
SAP has released SAP Note 3288096 which provides patched versions of the affected components.
The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3288096.
Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.
Report Timeline
- 11/21/2022: Vulnerability reported to vendor.
- 11/22/2022: Vendor provides incident number.
- 03/14/2023: Patch released.
References
- Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-january-2023
- CVE Mitre: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
- Vendor Patch: https://me.sap.com/notes/3288096/E
- Black Hat Talk: https://www.blackhat.com/us-23/briefings/schedule/#chained-to-hit-discovering-new-vectors-to-gain-remote-and-root-access-in-sap-enterprise-software-31340
- P4chains blogpost: https://onapsis.com/blog/p4chains-vulnerabilities-where-the-risk-from-the-whole-is-greater-than-the-sum
Advisory Information
- Public Release Date: 02/01/2024
- Security Advisory ID: ONAPSIS-2023-0008
- Researcher(s): Pablo Artuso
Vulnerability Information
- Vendor: SAP
- Affected Components:
- Java Kernel versions:
- 7.50.3301.472568.20220902101413
- 7.50.3301.467525.20210601093523
- 7.50.3301.407179.20200416085516
- SERVERCORE/CORE-TOOLS/J2EE-FRMW components versions:
- 1000.7.50.24.7.20221009183400
- 1000.7.50.22.0.20210804111800
- 1000.7.50.2.0.20160125191600
(Check SAP Note 3288096 for detailed information on affected releases)
- Vulnerability Class:
- CWE-862: Missing Authorization
- CWE-306: Missing Authentication for Critical Function
- CVSS v3 score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
- Risk Level: Medium
- Assigned CVE: CVE-2023-26460
- Vendor patch Information: SAP Security NOTE 3288096
ABOUT OUR RESEARCH LABS
Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.
Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound security judgment to the broader information security community.
Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories
This advisory is licensed under a Creative Commons 4.0 BY-ND International License